Protected Health Information Under HIPAA: Definitions, Identifiers, and Examples

Definition of Protected Health Information

What PHI means

Protected Health Information (PHI) is individually identifiable health information that a HIPAA covered entity or its business associate creates, receives, maintains, or transmits, in any form—electronic, paper, or oral. It relates to an individual’s past, present, or future physical or mental health or condition, the provision of healthcare, or payment for healthcare. If a person can be identified directly, or there is a reasonable basis to believe identification is possible, the data is Individually Identifiable Health Information and, when held by covered entities or business associates, it is PHI.

Who must comply

Covered entities include health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions. Business associates are service providers that handle PHI for covered entities. PHI in electronic form is often called ePHI, but the same HIPAA rules apply regardless of medium.

Exclusions from Protected Health Information

FERPA education and treatment records

Education records and student treatment records that are protected by the Family Educational Rights and Privacy Act are excluded from HIPAA. These records follow FERPA’s privacy framework rather than HIPAA, even when they contain health information.

Covered entity employment records

Covered Entity Employment Records are not PHI when a covered entity maintains them in its role as an employer (for example, HR files, pre-employment physicals used solely for employment decisions). If the same individual is also a patient and information is stored in a patient medical record, that copy remains PHI.

De-identified and aggregate data

Health data that meet HIPAA’s De-identification Standards—so that there is no reasonable basis to identify an individual—are not PHI. Aggregate statistics that reveal no individual identities likewise fall outside PHI.

Information about decedents after 50 years

Individually identifiable health information about a person who has been deceased for more than 50 years is not PHI under HIPAA.

Information outside HIPAA’s scope

Health information collected or held solely by organizations that are neither covered entities nor business associates (for example, many consumer health apps) is not PHI under HIPAA, though other privacy laws or state rules may still apply.

The 18 HIPAA Identifiers

The Safe Harbor method of de-identification requires removing the following direct identifiers of the individual and of relatives, employers, or household members. These are commonly referred to as the HIPAA 18 Identifiers:

• Names.
• All geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code, and equivalent codes), except the initial three digits of a ZIP code when the combined area has more than 20,000 people; otherwise use 000.
• All elements of dates (except year) directly related to an individual, including birth, admission, discharge, and death dates; ages over 89 and any elements indicating such ages must be aggregated into a single category of age 90 or older.
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate and license numbers.
• Vehicle identifiers and serial numbers, including license plate numbers.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric identifiers, including finger and voice prints.
• Full-face photographic images and any comparable images.
• Any other unique identifying number, characteristic, or code (except a code permitted for re-identification that is not derived from information about the individual).

Examples of Protected Health Information

PHI arises when health-related content is linked to one or more identifiers that can identify a person. Below are common, practical examples you may encounter in operations and Health Information Privacy Compliance programs:

• An electronic health record note describing a diagnosis, stored with a medical record number and date of service.
• A claim form or explanation of benefits listing CPT codes alongside a health plan beneficiary number and address.
• Laboratory results (values, interpretations) paired with a patient’s name and date of birth.
• Prescription records that include patient name, prescription number, and dispensing dates.
• Appointment schedules showing patient names, phone numbers, and visit reasons.
• Radiology images with embedded DICOM metadata containing patient identifiers, or full-face photographs used for clinical documentation.
• Care management spreadsheets that combine conditions, utilization data, and account numbers.
• Patient portal messages discussing symptoms and treatments associated with an email address or other contact information.
• Wearable device data integrated into a provider’s system and tied to identifiable patient accounts.
• Audio recordings maintained for care delivery that include names or other identifiers; Biometric Identifiers such as voice prints used for patient verification.

Clarifying non-examples

A dataset from which all 18 identifiers have been removed under Safe Harbor and for which there is no actual knowledge of re-identification risk is not PHI. Similarly, a Limited Data Set may be used for specific purposes under a data use agreement, but it remains PHI because some indirect elements (for example, dates and city/ZIP) are retained.

De-identified Health Information

Two pathways to de-identification

HIPAA recognizes two De-identification Standards. Under Expert Determination, a qualified expert applies accepted statistical or scientific principles and documents that the risk of re-identification is very small. Under Safe Harbor, you remove the HIPAA 18 Identifiers of the individual and of relatives, employers, or household members, and you have no actual knowledge that the remaining information could identify the person.

Limited Data Set versus fully de-identified data

A Limited Data Set is not fully de-identified. It excludes direct identifiers but may include dates and certain geographic elements (such as city, state, and ZIP). Use is limited to research, public health, or healthcare operations and requires a data use agreement. Because it can still identify individuals indirectly, a Limited Data Set is still PHI.

Re-identification codes

A covered entity or business associate may assign a code to de-identified records to permit re-identification, provided the code is not derived from or related to information about the individual and the key is kept separate and secure.

Operational tips for compliance

• Define clear data flows to know where PHI resides and how it moves between covered entities and business associates.
• Apply the minimum necessary standard and role-based access to reduce exposure of identifiers.
• When using Safe Harbor, verify that all 18 identifiers are removed across free text, metadata, and logs; when using Expert Determination, maintain current documentation of the expert’s methodology and findings.
• Monitor downstream uses and redisclosure terms in contracts to keep de-identified data from being combined with other datasets in ways that raise re-identification risk.

Conclusion

PHI is any individually identifiable health information held by covered entities or business associates. Knowing the exclusions, the HIPAA 18 Identifiers, and the two de-identification methods allows you to design processes that protect privacy while supporting clinical care, operations, and analytics. Consistent application of these principles strengthens Health Information Privacy Compliance across your organization.

FAQs.

What information is classified as protected health information under HIPAA?

PHI is Individually Identifiable Health Information related to a person’s health condition, care, or payment for care, when held or transmitted by a covered entity or business associate in any form. If the information can identify the person directly or there is a reasonable basis to believe it can, it is PHI.

What records are excluded from PHI protections?

Education and student treatment records protected by the Family Educational Rights and Privacy Act, Covered Entity Employment Records kept in the employer role, de-identified data, aggregate statistics that reveal no identities, and health information about individuals deceased for more than 50 years are excluded from PHI.

How are the 18 HIPAA identifiers defined?

They are eighteen categories of direct identifiers—such as names, detailed geographic data, full dates (except year), contact numbers, email addresses, Social Security and medical record numbers, account and license numbers, vehicle and device identifiers, URLs, IP addresses, Biometric Identifiers, full-face photos, and any other unique identifying number or code—that must be removed under the Safe Harbor de-identification method.

When is health information considered de-identified?

Information is de-identified when either a qualified expert determines and documents that the re-identification risk is very small (Expert Determination) or all HIPAA 18 Identifiers are removed and there is no actual knowledge of remaining identification risk (Safe Harbor). In either case, the result is no longer PHI under HIPAA.