Understanding PHI: Identifying Protected Health Information Under HIPAA

Definition of Protected Health Information

Protected Health Information (PHI) is a specific subset of Individually Identifiable Health Information defined by the HIPAA Privacy Rule. It is information that relates to an individual’s past, present, or future physical or mental health or condition, the provision of health care, or payment for that care, and that either identifies the person or could reasonably be used to identify them.

PHI exists in any medium—oral, paper, or digital. When PHI is created, received, maintained, or transmitted electronically, it is Electronic Protected Health Information. PHI is regulated when handled by a Covered Entity or a Business Associate acting on that entity’s behalf.

Demographic Information such as age, gender, and address is PHI when it is linked to health-related details. The definition emphasizes identifiability: once data can no longer reasonably identify a person, it is no longer PHI.

Key Identifiers Included in PHI

HIPAA outlines specific identifiers that, when linked to health information, make data identifiable. Removing these identifiers under the “safe harbor” method is one way to de-identify data.

The 18 HIPAA identifiers (safe harbor)

1. Names.
2. Geographic subdivisions smaller than a state (e.g., street address, city, county, ZIP code; limited three-digit ZIP code exceptions may apply).
3. All elements of dates (except year) directly related to an individual, and ages over 89 (aggregated as 90 or older).
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plates.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP address numbers.
16. Biometric identifiers (e.g., fingerprints, voiceprints).
17. Full-face photographs and comparable images.
18. Any other unique identifying number, characteristic, or code (with limited exceptions for re-identification codes).

Context matters: a phone number alone is not PHI, but it becomes PHI when connected to clinical notes, claims, or other health information. Likewise, Demographic Information is PHI when it can identify a person in a health context.

Covered Entities and Business Associates

A Covered Entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in standard transactions. These organizations create or receive PHI and must comply with HIPAA rules.

A Business Associate is any person or organization that performs services for or on behalf of a Covered Entity involving PHI—examples include billing companies, EHR and cloud vendors, analytics firms, and certain consultants. Business Associates, and their downstream subcontractors, must sign Business Associate Agreements and implement safeguards equivalent to those of the Covered Entity.

Both parties are directly accountable for compliance, breach reporting, and limiting use and disclosure to the minimum necessary under the HIPAA Privacy Rule.

Types of Information Protected

PHI spans a wide array of records and formats. If the content is health-related and identifiable, it is likely protected.

• Clinical records: diagnoses, medications, lab results, imaging, treatment plans, and care coordination notes.
• Payment and claims data: invoices, explanations of benefits, authorization requests, and billing histories.
• Administrative and Demographic Information: addresses, contact details, policy numbers, and scheduling data when linked to care.
• Media and biometrics: photos, video, audio recordings, and biometric identifiers tied to care.
• Electronic Protected Health Information: ePHI stored in EHRs, mobile apps, patient portals, backups, email, and connected devices.

Even metadata or system logs can constitute PHI if they contain identifiers associated with health services or payment.

Exclusions to PHI Under HIPAA

Some information falls outside HIPAA’s definition of PHI and is therefore not regulated as such.

• De-identified data: information stripped of identifiers via the safe harbor method or certified through expert determination so it cannot reasonably identify an individual.
• Family Educational Rights and Privacy Act Exclusions: education records and certain student treatment records governed by FERPA, not HIPAA.
• Employment records held by a Covered Entity in its role as employer (e.g., FMLA paperwork in HR files), even if they include health information.
• Information about individuals deceased for more than 50 years.
• Aggregated or statistical data that cannot identify an individual.

Note: a “limited data set” excludes many direct identifiers but remains PHI; it may be shared for research, public health, or health care operations under a data use agreement.

Compliance Requirements for PHI Handling

Compliance integrates privacy governance, security controls, and breach response. The HIPAA Privacy Rule sets the “who, when, and why” of using and disclosing PHI, while the Security Rule defines safeguards for Electronic Protected Health Information.

Privacy Rule essentials

• Use and disclosure: permitted activities include treatment, payment, and health care operations; other uses generally require authorization.
• Minimum necessary: limit PHI access and disclosure to what is needed to accomplish the task.
• Individual rights: provide access, amendments, and an accounting of certain disclosures; issue a clear Notice of Privacy Practices.
• Governance: designate a privacy official, develop policies, and train the workforce.

Security Rule safeguards for ePHI

• Administrative: risk analysis and risk management, workforce training, contingency planning, and vendor oversight.
• Physical: facility access controls, device/media controls, secure disposal, and workstation security.
• Technical: unique user IDs, role-based access, encryption (at rest and in transit), audit logs, integrity controls, and automatic logoff.

Breach notification at a glance

• Evaluate incidents to determine if unsecured PHI was compromised; document risk assessments.
• Notify affected individuals without unreasonable delay and no later than 60 days after discovery.
• Report to regulators and, for breaches affecting 500 or more individuals in a state or jurisdiction, to prominent media outlets as required.
• Implement corrective actions and monitor for recurrence.

Risks and Penalties for PHI Violations

Common risks include misdirected emails or faxes, lost or stolen devices without encryption, overbroad access, improper disposal, and phishing or ransomware incidents that expose Electronic Protected Health Information.

Consequences range from corrective action plans and mandatory monitoring to civil monetary penalties assessed per violation, with tiered levels based on culpability and annual caps. Criminal penalties may apply for knowingly obtaining or disclosing PHI, with heightened penalties for false pretenses or intent for financial gain.

Additional exposure can arise from state attorneys general, contractual damages, and reputational harm. Strong governance, defensible risk analysis, encryption, and strict access controls materially reduce both breach likelihood and penalty severity.

Conclusion

Understanding PHI under the HIPAA Privacy Rule centers on identifiability and context: when health information can identify a person and is handled by a Covered Entity or Business Associate, it is protected. By recognizing key identifiers, honoring exclusions, and implementing robust privacy and security safeguards for Electronic Protected Health Information, you can meet legal obligations and maintain patient trust.

FAQs.

What information qualifies as PHI under HIPAA?

PHI is Individually Identifiable Health Information related to a person’s health, care, or payment that identifies them or could reasonably do so. It includes clinical notes, billing details, and Demographic Information when linked to health data, in any medium—oral, paper, or electronic.

How does HIPAA define individually identifiable health information?

It is information about health status, care provided, or payment that includes identifiers or could reasonably identify the individual. Identifiers include names, contact details, dates (other than year), account numbers, images, biometrics, and other unique characteristics.

Are employment records considered PHI?

No. Employment records held by a Covered Entity in its role as employer are excluded from HIPAA’s definition of PHI, even if they contain health information. The same information in a patient’s clinical chart, however, is PHI.

What are the penalties for mishandling PHI?

Penalties vary by severity and intent. Civil monetary penalties are assessed per violation with tiered ranges and annual caps, and can include corrective action plans and oversight. Criminal penalties apply for knowing misuse, with higher penalties for false pretenses or actions for financial gain.