Understanding the Scope of Information Protected by HIPAA

Understanding the Scope of Information Protected by HIPAA helps you determine what data requires safeguards, when de-identification suffices, and which parties must comply. This guide explains key HIPAA Regulatory Definitions, the forms and exclusions of PHI, the Protected Health Information Identifiers, and how Covered Entity Compliance extends to business partners.

Definition of Protected Health Information

Core concept

Protected Health Information (PHI) is Individually Identifiable Health Information created or received by a covered entity or business associate that relates to: an individual’s past, present, or future physical or mental health or condition; the provision of health care; or payment for health care; and that identifies the individual or could reasonably be used to identify them.

HIPAA Privacy Rule context

Under HIPAA Regulatory Definitions, PHI can exist in any form or medium—electronic, paper, or oral. The HIPAA Privacy Rule governs how PHI is used and disclosed and sets the “minimum necessary” expectation. If information is not identifiable or is expressly excluded, it is not PHI.

Forms of Protected Health Information

Media and modalities

• Electronic PHI (ePHI): EHR data, patient portals, claims files, imaging, device telemetry, audit logs, and backups.
• Paper PHI: charts, referral letters, printed lab results, billing statements, mailed notices.
• Oral PHI: in-person conversations, call center recordings, voicemails discussing diagnosis, treatment, or payment.

Examples you may handle

• Demographics linked to clinical details (e.g., name plus test result).
• Identifiers tied to utilization or billing (account numbers with procedure codes).
• Photographs, biometrics, or device serials associated with a patient record.

Exclusions from Protected Health Information

Some data is outside PHI even when held by a covered entity. Knowing these exclusions helps you apply correct safeguards and streamline operations.

• De-identified information: data that no longer identifies an individual under HIPAA’s de-identification standards.
• Employment records: information a covered entity maintains in its role as an employer (e.g., HR files, pre-employment drug screens managed by HR), even if health-related.
• FERPA education records and eligible student treatment records: governed by education privacy law rather than HIPAA.
• Information about a person deceased for 50 years or more.

Note: A Limited Data Set is not excluded; it remains PHI but may be used or disclosed for research, public health, or health care operations under a Data Use Agreement.

Eighteen Identifiers of Protected Health Information

The HIPAA Privacy Rule specifies 18 direct identifiers. Removing them is central to the Safe Harbor method of Health Information De-identification.

• 1. Names.
• 2. Geographic subdivisions smaller than a state (street, city, county, precinct, ZIP code) except the initial three ZIP digits when the population rule is met.
• 3. All elements of dates (except year) directly related to an individual, including birth, admission, discharge, death; ages over 89 must be aggregated as 90+.
• 4. Telephone numbers.
• 5. Fax numbers.
• 6. Email addresses.
• 7. Social Security numbers.
• 8. Medical record numbers.
• 9. Health plan beneficiary numbers.
• 10. Account numbers.
• 11. Certificate or license numbers.
• 12. Vehicle identifiers and serial numbers, including license plates.
• 13. Device identifiers and serial numbers.
• 14. Web URLs.
• 15. IP address numbers.
• 16. Biometric identifiers (e.g., finger and voice prints).
• 17. Full-face photographic images and comparable images.
• 18. Any other unique identifying number, characteristic, or code (except permitted re-identification codes).

De-identified Health Information

Two permissible methods

• Safe Harbor: remove all 18 Protected Health Information Identifiers and have no actual knowledge that the remaining data can identify an individual.
• Expert Determination: a qualified expert applies accepted statistical principles to conclude the risk of re-identification is very small, documents the methods, and justifies the result.

Limited Data Set versus de-identified

A Limited Data Set may retain certain elements (e.g., dates, city, state, ZIP code, and other non-direct identifiers) but excludes direct identifiers like names and SSNs. It is still PHI and requires a Data Use Agreement that sets permitted uses, safeguards, and limits on re-disclosure.

Covered Entities and Business Associates

Covered entities

Covered entities include health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with standard transactions. Covered Entity Compliance spans policies, workforce training, risk analysis, and adherence to the HIPAA Privacy Rule and Security Rule.

Business associates

Business associates are persons or organizations that create, receive, maintain, or transmit PHI for a covered entity (or for another business associate). Examples include billing services, EHR and cloud vendors, data analytics firms, consultants, and legal or actuarial providers.

Business Associate Agreements

Covered entities and business associates must execute Business Associate Agreements that define permitted uses/disclosures, require safeguards, mandate breach reporting, and flow obligations down to subcontractors. These contracts are a cornerstone of enforceable HIPAA compliance between parties.

Conclusion

By applying HIPAA Regulatory Definitions, recognizing the forms and exclusions of PHI, using the 18-identifier framework for Health Information De-identification, and enforcing Business Associate Agreements, you can reliably scope, protect, and govern PHI across your ecosystem.

FAQs

What types of information are classified as PHI under HIPAA?

PHI is Individually Identifiable Health Information relating to health status, care, or payment that is created or received by a covered entity or business associate and that identifies an individual or could reasonably identify them. It exists in electronic, paper, and oral forms.

How does HIPAA define covered entities and business associates?

Covered entities are health plans, health care clearinghouses, and providers who conduct electronic standard transactions. Business associates are vendors or partners that create, receive, maintain, or transmit PHI on behalf of a covered entity or another business associate.

Are employment records included in PHI protections?

No. Employment records maintained by a covered entity in its role as employer are excluded from PHI. However, the same person’s records as a patient of that entity are PHI and remain protected.

What criteria determine if information is de-identified under HIPAA?

Information is de-identified if either: (1) all 18 identifiers are removed and there is no actual knowledge of residual identifiability (Safe Harbor), or (2) a qualified expert determines, using accepted methods, that the re-identification risk is very small and documents the analysis (Expert Determination).