What Counts as PHI? HIPAA Privacy Rule Requirements and Examples

Overview of Protected Health Information

If you handle health data, the first question to answer is what counts as PHI under the Health Insurance Portability and Accountability Act (HIPAA). The Privacy Rule covers “individually identifiable health information” that a covered entity or its business associate creates, receives, maintains, or transmits in any form.

Information is PHI when it relates to a person’s past, present, or future physical or mental health, the provision of health care, or payment for care, and it either directly identifies the individual or there is a reasonable basis to believe it could. PHI can live in electronic systems, paper files, or even spoken communications.

What makes information identifiable?

Identifiability turns on context and the presence of PHI identifiers. A single data point (for example, a medical record number) may be enough to identify someone, but so can combinations of details like ZIP code and admission date. If you can reasonably re-identify a person, you are handling Identifiable Health Information and must ensure Privacy Rule Compliance.

PHI vs. personal health data in consumer apps

Not all health-related data is PHI. If a non‑health‑care company collects fitness metrics directly from a consumer and is not acting for a covered entity, those data are generally outside HIPAA. The same metrics become PHI once a covered entity or business associate collects, stores, or uses them in connection with care or payment.

HIPAA's 18 Identifiers

HIPAA specifies 18 identifiers that make health information identifiable. Under the Safe Harbor pathway to De‑Identification, all must be removed and you must have no actual knowledge that remaining data could identify a person.

1. Names.
2. Geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code). The first three ZIP digits may be used only if the combined area has at least 20,000 people; otherwise use 000.
3. All elements of dates (except year) directly related to an individual, including birth, admission, discharge, death; ages over 89 must be aggregated into 90 or older.
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate or license numbers.
12. Vehicle identifiers and license plate numbers.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP addresses.
16. Biometric identifiers (for example, fingerprints, voiceprints, retinal scans).
17. Full‑face photographic images and comparable images.
18. Any other unique identifying number, characteristic, or code (other than a permitted re‑identification code).

Examples of PHI

Clinical and care delivery

• Progress notes containing a patient’s name, date of birth, or medical record number.
• Lab reports with accession numbers tied to a person.
• Radiology images that include full‑face photos or embedded DICOM metadata identifying the patient.
• Prescription records with Rx numbers and prescriber/patient identifiers.

Payment and operations

• Claims, explanations of benefits, and prior authorization files with plan beneficiary numbers or account numbers.
• Billing statements listing service dates and patient identifiers.
• Call recordings and voicemails about coverage that include a phone number and member details.

Digital interactions and telemetry

• Patient portal logs that include usernames, IP addresses, and appointment dates.
• Remote monitoring feeds (for example, device serial numbers linked to a patient in the EHR).
• Emails or texts between a provider and patient discussing diagnosis or treatment.

Research and quality improvement

• Datasets used for outcomes tracking that retain dates, ZIP codes, or record numbers.
• Limited Data Sets shared under a Data Use Agreement (still PHI, though stripped of direct identifiers).

Exclusions from PHI

• Data that are De‑Identified under HIPAA (Safe Harbor or Expert Determination). When properly de‑identified, the information is no longer PHI.
• Employment records held by a covered entity in its role as employer (for example, FMLA files, workplace injury logs).
• Education records and student treatment records covered by FERPA.
• Identifiable health information collected by entities that are not Covered Entities or Business Associates and not acting on their behalf (for example, many consumer health apps).
• Information about individuals deceased for more than 50 years.
• Aggregated statistics that present no reasonable basis to identify an individual.

Note: A Limited Data Set is not an exclusion—it remains PHI subject to specific use and disclosure controls via a Data Use Agreement.

Importance of PHI Compliance

Strong Privacy Rule Compliance protects patients, preserves trust, and reduces regulatory and litigation risk. It also enables responsible data sharing and analytics with the right safeguards and agreements in place.

Key compliance principles

• Apply the “minimum necessary” standard to routine uses and disclosures.
• Honor patient rights (access, amendments, restrictions, confidential communications, and accounting of disclosures).
• Implement administrative, physical, and technical safeguards under HIPAA’s Security Rule for ePHI.
• Train your workforce, manage role‑based access, and monitor activity logs.
• Execute and manage Business Associate Agreements for vendors handling PHI.
• Maintain an incident response plan and conduct timely breach risk assessments and notifications when required.

Consequences of noncompliance

Breaches can trigger mandatory notifications to affected individuals, the U.S. Department of Health and Human Services, and in some cases local media. Regulators may impose corrective action plans and civil monetary penalties; state attorneys general and private litigants may also pursue actions under applicable laws. Reputational damage and operational disruption often exceed direct fines.

De-Identification Standards

Safe Harbor method

• Remove all 18 PHI Identifiers listed above.
• Ensure you have no actual knowledge that remaining data could identify an individual alone or in combination.
• Remember special rules: aggregate ages 90+, and restrict ZIP codes to the first three digits only when population thresholds are met.

Expert Determination method

• A qualified expert applies accepted statistical or scientific methods and documents that the risk of re‑identification is very small.
• Controls may include generalization, perturbation, k‑anonymity, or differential privacy approaches.
• Re‑evaluate risk when context or public data availability changes.

Limited Data Sets (still PHI)

• May include city, state, ZIP code, and dates related to an individual (for example, admission, discharge, service, birth, death).
• Must exclude direct identifiers (for example, names, full addresses, contact numbers, account numbers).
• Require a Data Use Agreement specifying permitted uses, disclosures, safeguards, and no re‑identification attempts.

Re-identification codes

You may assign a code to re‑link de‑identified records if the code is not derived from PHI, the mapping key is kept separately, and the code is not used for other purposes. This allows longitudinal analysis without exposing identities.

Roles of Covered Entities and Business Associates

Covered Entities

Covered Entities include health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with standard transactions. They bear primary responsibility for safeguarding PHI and enabling patient rights.

Business Associates

Business Associates perform functions or services for a Covered Entity involving PHI (for example, cloud hosting, EHR vendors, claims processing, analytics, e‑prescribing, transcription). Subcontractors that create, receive, maintain, or transmit PHI are also Business Associates.

Business Associate Agreements (BAAs)

• Define permitted uses and disclosures of PHI and require safeguards aligned with the Security Rule.
• Mandate breach reporting, subcontractor “flow‑down” obligations, and return or destruction of PHI at contract end when feasible.
• Permit oversight and audits to verify compliance.

Operational responsibilities

• Conduct periodic risk analyses and implement risk‑based controls.
• Apply minimum necessary, role‑based access, and data retention/disposal policies.
• Document policies, procedures, and training, and keep evidence for audits.

Summary

Under HIPAA, what counts as PHI depends on identifiability and who holds the data. By recognizing the 18 identifiers, using rigorous De‑Identification where appropriate, and clarifying roles for Covered Entities and Business Associates, you can handle Identifiable Health Information lawfully and confidently.

FAQs.

What information qualifies as PHI under HIPAA?

PHI is individually identifiable health information about a person’s health, care, or payment for care that a Covered Entity or Business Associate creates, receives, maintains, or transmits. If the information contains one or more PHI Identifiers—or a combination that could reasonably identify the person—it is PHI.

How does de-identification affect PHI status?

Properly de‑identified data are no longer PHI. You can achieve this by removing all 18 identifiers under Safe Harbor (and having no actual knowledge of re‑identification risk) or by obtaining an Expert Determination that the risk of identification is very small. Limited Data Sets are not fully de-identified and remain PHI subject to a Data Use Agreement.

Who must comply with HIPAA Privacy Rule?

Health plans, health care clearinghouses, and health care providers engaging in standard electronic transactions must comply, as must their Business Associates and relevant subcontractors. These entities must implement Privacy Rule Compliance and Security Rule safeguards for PHI and ePHI.

What are the consequences of PHI breaches?

Breaches can require prompt notifications to affected individuals and HHS, and sometimes to the media, along with mitigation steps and corrective action plans. Civil monetary penalties, settlements, and oversight can follow, in addition to reputational harm and operational costs such as forensic investigations and remediation.