Protected Health Information (PHI) Under HIPAA: What It Is—and What It Isn’t

Definition of Protected Health Information

Protected Health Information (PHI) is individually identifiable health information that relates to a person’s past, present, or future health or healthcare, or payment for care. It must be created, received, maintained, or transmitted by a covered entity or its business associate in any form—electronic, paper, or oral.

To count as PHI, information must both identify (or reasonably be used to identify) an individual and tie that individual to a health status, service, or bill. This standard is at the core of health information privacy under the HIPAA Privacy Rule.

What makes information PHI

• It is individually identifiable health information (IIHI).
• It concerns health condition, care provided, or payment for care.
• It is held or transmitted by a covered entity or business associate.

The 18 HIPAA identifiers commonly linked to PHI

• Names
• Geographic subdivisions smaller than a state (street address, city, ZIP code—subject to limited three‑digit ZIP rules)
• All elements of dates (except year) related to an individual (e.g., birth, admission, discharge, death)
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (e.g., fingerprints, voiceprints)
• Full-face photographs and comparable images
• Any other unique identifying number, characteristic, or code

HIPAA Privacy Rule Overview

The HIPAA Privacy Rule sets national standards for how PHI may be used and disclosed, balancing health information privacy with the flow of information needed for high-quality care. It also grants patients key rights over their PHI and requires HIPAA compliance programs across covered entities and business associates.

Permitted uses and disclosures (TPO)

Without patient authorization, PHI may be used or disclosed for treatment, payment, and healthcare operations (TPO). Additional permitted disclosures include certain public health, law enforcement, and oversight activities, as allowed by the rule.

Minimum necessary standard

Outside of treatment and a few specific exceptions, covered entities and business associates must limit uses, disclosures, and requests to the minimum PHI necessary to accomplish the purpose.

Authorizations and special cases

Uses or disclosures beyond permitted purposes require a valid, written patient authorization. Marketing, most research without a waiver, and sale of PHI generally need explicit authorization with clear terms.

Covered Entities and Business Associates

Covered entities include health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions. Business associates are persons or organizations that handle PHI on behalf of a covered entity or perform services involving PHI.

Covered entities

• Healthcare providers who bill electronically for services
• Health plans (e.g., group health plans, insurers)
• Healthcare clearinghouses that process nonstandard health data

Business associates

• Vendors supporting billing, claims, analytics, or EHR hosting
• Cloud and data storage providers handling ePHI
• Consultants, transcription, and telehealth platforms acting for a covered entity

Business Associate Agreements (BAAs)

Covered entities must execute BAAs with business associates. BAAs set permissible PHI uses, require safeguards, mandate breach reporting, and flow down obligations to subcontractors who access PHI.

Forms and Examples of PHI

PHI appears in many formats. Electronic PHI (ePHI) includes data in EHRs, patient portals, e-prescribing systems, and mobile devices. Paper PHI spans charts, referral letters, and mailed statements. Oral PHI arises in consultations, handoffs, and call recordings.

Concrete examples

• An appointment reminder email that includes a patient’s name and the clinic’s specialty
• Lab results tied to a medical record number
• Insurance claims with diagnosis codes and subscriber IDs
• Device serial numbers linked to an individual’s implant record
• IP addresses or portal logs that identify a patient accessing their record
• Discharge summaries, imaging, or prescriptions containing identifiers

Context matters: an identifier combined with health details—or held by a covered entity in the course of care—usually makes the information PHI.

Exclusions from PHI Classification

• De-identified data: information stripped of identifiers under Safe Harbor or certified via Expert Determination so the individual is not identifiable
• Education records covered by FERPA and treatment records of students maintained by educational institutions
• Employment records held by a covered entity in its role as employer (e.g., workplace injury logs for HR use)
• Information about individuals deceased for more than 50 years
• Consumer health information not created or received by a covered entity or business associate (e.g., data in a personal wellness app operating independently of healthcare providers)

Note: A HIPAA limited data set removes certain identifiers but remains PHI and is shared only under a Data Use Agreement.

Patient Rights and PHI Disclosure

HIPAA gives you clear rights over your PHI and sets guardrails for PHI disclosure. Covered entities must support these rights and document their processes in a Notice of Privacy Practices.

Your HIPAA rights

• Access: obtain, inspect, or receive a copy of your PHI within 30 days (with a possible 30‑day extension); reasonable, cost‑based copy fees only
• Amendment: request corrections to your record; denials must be explained, and you may add a statement of disagreement
• Restrictions: ask to limit certain disclosures; providers must honor a restriction on disclosures to a health plan when you pay in full out of pocket for an item or service
• Confidential communications: request alternative means or locations for communications
• Accounting of disclosures: receive a list of certain non‑TPO disclosures for the prior six years
• Notice and complaints: receive a Notice of Privacy Practices and file complaints without retaliation

When PHI may be disclosed without authorization

• Treatment, payment, and healthcare operations
• Public health reporting, health oversight, and as required by law
• To avert a serious threat to health or safety, consistent with law and standards of ethics
• For judicial and law enforcement purposes under defined conditions
• With your opportunity to agree or object for facility directories and involvement of family or friends in care

Compliance and Security Requirements

HIPAA compliance requires documented policies, workforce training, risk-based safeguards, and vigilant oversight. The Security Rule focuses on ePHI, while the Privacy Rule governs all PHI and the Breach Notification Rule sets incident response duties.

Administrative safeguards

• Enterprise-wide risk analysis and ongoing risk management
• Assigned security responsibility and workforce training
• Contingency plans (backup, disaster recovery, emergency operations)
• Sanction policies, vendor management, and BAAs

Physical safeguards

• Facility access controls and device/media controls
• Workstation security and secure disposal of PHI

Technical safeguards

• Access controls (unique IDs, emergency access, automatic logoff)
• Audit controls and activity monitoring
• Integrity protections and transmission security (e.g., encryption in transit and at rest as appropriate)

Breach Notification Rule

• Conduct a risk assessment for any impermissible use or disclosure of unsecured PHI
• Notify affected individuals without unreasonable delay and no later than 60 days after discovery
• Report to HHS, and to prominent media when a breach affects 500+ residents of a state or jurisdiction
• Maintain logs of smaller breaches and document all decisions

Ongoing governance

• Apply the minimum necessary standard to routine processes
• Review and update policies, BAAs, and risk analyses regularly
• Retain required HIPAA documentation for at least six years

Key takeaways

PHI is identifiable health information held by covered entities or business associates. The HIPAA Privacy Rule governs PHI disclosure, while the Security Rule and Breach Notification Rule drive safeguards and incident response. Building strong, risk‑based controls and honoring patient rights are the core of HIPAA compliance.

FAQs.

What types of information qualify as PHI under HIPAA?

PHI is individually identifiable health information linked to a person’s health, care, or payment and held or transmitted by a covered entity or business associate. If an identifier (like name, full-face photo, medical record number, or IP address) can reasonably identify the person and the content relates to health or billing, it is PHI.

Who are considered covered entities under HIPAA?

Covered entities are healthcare providers that conduct standard electronic transactions, health plans, and healthcare clearinghouses. Vendors or partners that handle PHI for them are business associates and must sign Business Associate Agreements.

How does HIPAA protect PHI?

The HIPAA Privacy Rule limits PHI disclosure, grants patient rights, and requires the minimum necessary use. The Security Rule mandates administrative, physical, and technical safeguards for ePHI, and the Breach Notification Rule compels timely notice after certain incidents—all forming a comprehensive HIPAA compliance framework.

What information is excluded from PHI under HIPAA?

De-identified data, education records under FERPA, employment records held by an employer, information about individuals deceased for more than 50 years, and consumer health data not created or received by a covered entity or its business associate are not PHI. Limited data sets remove direct identifiers but still count as PHI and require a Data Use Agreement.