Understanding PHI in HIPAA: Definitions and Protections

Definition of PHI

Protected health information (PHI) is Individually Identifiable Health Information created, received, maintained, or transmitted by a Covered Entity or its Business Associate, in any form or medium. It relates to an individual’s past, present, or future physical or mental health, the provision of health care, or payment for that care.

Under the HIPAA Privacy Rule, PHI exists only when the information is linked to a specific person (or could reasonably identify one) and is handled by a regulated organization. A Covered Entity is a health plan, health care clearinghouse, or health care provider that conducts standard electronic transactions. A Business Associate is a service provider that performs functions for a Covered Entity involving PHI.

“Individually Identifiable Health Information” (IIHI) is the raw concept; it becomes PHI when it is held or transmitted by a Covered Entity or Business Associate. De-identified data is not PHI.

Forms of PHI

PHI can exist in any format. The HIPAA Security Rule uses the term electronic PHI (ePHI) for digital forms, while the Privacy Rule covers paper and oral forms as well.

• Electronic: EHR data, patient portals, billing systems, emails, texts, images, device telemetry, backups, and metadata.
• Paper: charts, prescriptions, referral letters, authorization forms, invoices, and claims attachments.
• Oral: consultations, handoffs, voicemails, and recorded calls containing identifiable health details.
• Media and images: full-face photographs, radiology images, audio/video files when linked to an identifiable person.

Exclusions from PHI

• De-identified information meeting HIPAA standards (no reasonable basis to identify a person).
• Education records and student treatment records protected by FERPA.
• Employment records held by a Covered Entity in its role as employer (for example, pre-employment physicals stored in HR files).
• Health information about a person deceased for more than 50 years.
• Health-related data held solely by entities that are neither Covered Entities nor Business Associates (for example, certain consumer apps), unless they handle the data on behalf of a Covered Entity.

A limited data set (LDS) is not an exclusion; it remains PHI but may be shared for research, public health, or health care operations under a data use agreement.

18 Identifiers of PHI

Under the HIPAA “Safe Harbor” method of de-identification, all the following must be removed, and the holder must have no actual knowledge that remaining data could identify an individual:

1. Names.
2. Geographic subdivisions smaller than a state, including street address, city, county, precinct, and ZIP code (with limited three‑digit ZIP exceptions).
3. All elements of dates (except year) for dates directly related to an individual, including birth, admission, discharge, death; and all ages over 89 and related elements, except when grouped as 90 or older.
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plates.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP address numbers.
16. Biometric identifiers (for example, finger and voice prints).
17. Full-face photographs and comparable images.
18. Any other unique identifying number, characteristic, or code (except permitted re-identification codes).

Protections under HIPAA

HIPAA Privacy Rule

The Privacy Rule governs when PHI may be used or disclosed, applies the “minimum necessary” standard, and grants individuals rights to access, obtain copies, request amendments, receive an accounting of disclosures, request restrictions, and ask for confidential communications through alternative means or locations.

HIPAA Security Rule

The Security Rule applies to ePHI and requires risk-based safeguards across three categories: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Covered Entities and Business Associates must document policies, train their workforce, and manage vendors accordingly.

Administrative Safeguards

• Risk analysis and risk management, assigned security responsibility, workforce training and sanctions.
• Contingency planning, incident response, and evaluation of security posture.
• Business Associate agreements to govern PHI handling by vendors and subcontractors.

Physical Safeguards

• Facility access controls and visitor management.
• Workstation use and security, including screen privacy and session timeouts.
• Device and media controls for encryption, disposal, re-use, and transport.

Technical Safeguards

• Access controls (unique user IDs, multi-factor authentication, emergency access procedures).
• Audit controls and activity logs to monitor access and use.
• Integrity controls and transmission security (encryption in transit and at rest, where appropriate).

Breach Notification and Accountability

Covered Entities and Business Associates must investigate security incidents, assess compromise risk, and provide breach notifications to affected individuals (and to regulators and, when applicable, the media). Documentation and timely remediation are required.

De-Identification of PHI

Two recognized methods

• Safe Harbor: remove the 18 identifiers and have no actual knowledge of identifiability.
• Expert Determination: a qualified expert applies statistical and scientific principles to conclude the re-identification risk is very small and documents the methods and results.

Limited data set (still PHI)

An LDS may include city, state, ZIP code, and dates but excludes direct identifiers like names and SSNs. It can be used or disclosed for research, public health, or operations with a data use agreement that prohibits re-identification or contact.

Re-identification codes

Covered Entities may assign a code that permits re-identification if it is not derived from personal information and is not used for other purposes. The mapping must be kept separately and securely.

Conclusion

Understanding PHI in HIPAA starts with knowing what qualifies as PHI, what does not, the 18 identifiers, and how the HIPAA Privacy Rule and the Security Rule’s Administrative, Physical, and Technical Safeguards protect it. De-identification—via Safe Harbor or Expert Determination—reduces risk and enables broader data use while preserving privacy.

FAQs

What information qualifies as PHI under HIPAA?

PHI is Individually Identifiable Health Information about health, care, or payment that is created, received, maintained, or transmitted by a Covered Entity or Business Associate. It includes data in any form—electronic, paper, or oral—when it can identify a person or reasonably be used to do so.

How does HIPAA protect PHI?

HIPAA protects PHI through the HIPAA Privacy Rule, which limits uses and disclosures and grants individual rights, and the Security Rule, which requires Administrative Safeguards, Physical Safeguards, and Technical Safeguards for ePHI. Breach notification, minimum necessary, and Business Associate agreements add accountability.

What are the 18 identifiers of PHI?

The Safe Harbor list includes names; detailed geography; most dates and ages over 89; phone and fax numbers; emails; SSNs; medical record and beneficiary numbers; account and certificate/license numbers; vehicle and device identifiers; URLs; IP addresses; biometric identifiers; full-face photos; and any other unique identifying number, characteristic, or code.

What information is excluded from PHI?

De-identified data, FERPA education records, employment records held by an employer, information about individuals deceased for more than 50 years, and health data held solely by entities that are neither Covered Entities nor Business Associates are excluded. A limited data set is not excluded; it remains PHI under a data use agreement.