What Counts as PHI in Written or Verbal Form? HIPAA Definition and Examples

Definition of PHI

Protected Health Information (PHI) is individually identifiable health information that relates to a person’s past, present, or future physical or mental health or condition, the provision of care, or payment for care. If the information identifies the individual—or could reasonably be used to identify them—and is created, received, maintained, or transmitted by a covered entity or its business associate, it is PHI under the HIPAA Privacy Rule.

PHI exists in any medium: paper, verbal, or electronic. Electronic Protected Health Information (ePHI) is simply PHI stored or sent electronically. While people sometimes refer to “health information portability,” the law is formally the Health Insurance Portability and Accountability Act; its core purpose includes safeguarding patient confidentiality while enabling responsible data flow for treatment, payment, and operations.

Key elements

• Individually Identifiable Health Information tied to a specific person or reasonably linkable to them.
• Handled by a covered entity (health plan, clearinghouse, or provider who transmits certain transactions electronically) or a business associate.
• Applies to all forms—written, verbal, electronic—equally.

Forms of PHI

Electronic (ePHI)

Any PHI stored or transmitted via EHRs, patient portals, email, secure messaging, cloud storage, mobile apps acting on behalf of covered entities, databases, backups, or device logs. Metadata, audit logs, and file names can be ePHI if they include identifiers.

Written

Paper charts, intake forms, prescriptions, discharge summaries, billing statements, printed lab results, faxes, sticky notes, labels, whiteboards visible in clinical areas, and mailed documents containing identifiers or clinical details.

Verbal

Phone calls with patients or family, hallway or elevator conversations, shift handoffs, case conferences, voicemails, and telehealth discussions. Spoken information is PHI when it includes identifiers linked to health, care, or payment.

Images and media

Photos, videos, and audio recordings that include faces, voices, unique tattoos, room signs, wristbands, or screens displaying patient data. Even a casual snapshot captured in a clinical setting can contain PHI.

Examples of PHI

• Name plus any clinical detail (e.g., “Maria Lopez—A1C 9.2%”).
• Addresses smaller than a state, full ZIP code, phone, fax, or email linked to care or billing.
• Dates directly related to an individual (birthdate, admission/discharge, death, appointment times) combined with health context.
• Medical record numbers, account numbers, claim numbers, health plan beneficiary IDs.
• Device serials, implant IDs, prescription numbers, and imaging identifiers.
• Biometrics (fingerprints, voiceprints), full-face photos, or comparable images.
• IP addresses, URLs, and other unique codes when they can be tied back to a specific patient encounter.
• Verbal examples: “Mr. Chen in Room 412 needs a transfusion,” or leaving a voicemail with a diagnosis and callback number.

Exclusions from PHI

Some information is not PHI under HIPAA, even if it concerns health:

• De-identified data that cannot identify an individual, either via the Safe Harbor removal of specified identifiers or expert determination that re-identification risk is very small.
• Education records subject to FERPA.
• Employment records held by a covered entity in its role as employer (e.g., HR files, pre-employment physical results kept for employment purposes).
• Information about individuals deceased for more than 50 years.
• Consumer-generated health data held by entities that are not covered entities or business associates (e.g., a personal wellness app not acting for a provider); this may still be protected by other privacy laws but is not PHI.
• Aggregated statistics that cannot be tied to a specific individual.

Note: A HIPAA Limited Data Set excludes certain direct identifiers but remains PHI and requires a Data Use Agreement; it is not a de-identified exclusion.

HIPAA Compliance Requirements

Privacy Rule essentials

• Use and disclose PHI only as permitted (e.g., treatment, payment, health care operations) or as authorized by the patient.
• Apply the minimum necessary standard to routine uses and disclosures.
• Provide a Notice of Privacy Practices and honor patient rights to access, amend, and receive an accounting of disclosures.

Security Rule essentials for ePHI

• Administrative safeguards: risk analysis, risk management, workforce training, sanctions, contingency planning.
• Physical safeguards: facility access controls, device and media controls, secure disposal, workstation security.
• Technical safeguards: unique user IDs, multi-factor authentication, role-based access, encryption, transmission security, integrity controls, and audit logging.

PHI Transmission Standards

• Encrypt PHI in transit (e.g., TLS-based secure email gateways, secure portals, SFTP, VPN) and at rest where feasible.
• Verify recipient identity, use secure channels for messages containing identifiers, and avoid public or unsecured Wi‑Fi for PHI exchanges.
• Maintain Business Associate Agreements when vendors transmit or store PHI.

Breach notification and documentation

• Implement incident response to assess, mitigate, and document suspected breaches.
• Provide required notifications to affected individuals and authorities when a breach is confirmed.

Identifying PHI in Communications

Before you send, speak, or store information, ask three questions: (1) Is there a patient-specific health, care, or payment detail? (2) Is there a direct or reasonably linkable identifier? (3) Is a covered entity or business associate involved? If yes to all, you are handling PHI.

Channel-specific cues

• Email and chat: names with diagnoses, images of screens, claim numbers, or appointment details are PHI; use secure messaging and double-check recipients.
• Phone and voicemail: confirm identity before sharing; leave minimal details—typically name and callback number only, unless prior consent allows more.
• Texting: use approved, secure texting solutions; avoid native SMS for PHI unless your policy explicitly permits and safeguards are in place.
• Meetings and rounds: avoid discussing identifiable cases in public areas; use private spaces or de-identify where possible.
• Paper and faxes: include a cover sheet with limited info, verify numbers, and promptly retrieve printouts from shared devices.

Borderline scenarios

• “The 45-year-old runner with a tibial fracture” can be identifying in small communities—treat it as PHI.
• Whiteboard schedules visible to visitors can reveal PHI; restrict access or remove identifiers.
• Research data: if fully de-identified per HIPAA, it is not PHI; otherwise apply PHI safeguards.

Safeguarding PHI in Practice

Practical controls you can implement now

• Minimize identifiers: share only what is necessary for the task.
• Use secure portals or encrypted email for patient documents and images.
• Adopt role-based access, MFA, and strong passwords; review access regularly.
• Enable device encryption and remote wipe on laptops and mobile devices; avoid storing PHI locally when possible.
• Shred or securely dispose of paper; sanitize media before reuse or disposal.
• Train your workforce routinely, test with phishing simulations, and reinforce patient confidentiality expectations.
• Document policies, retain logs, and audit transmissions to ensure PHI Transmission Standards are consistently met.

Channel-by-channel checklist

• Email: secure channel, correct recipient, minimal PHI in subject lines, remove auto-complete risks.
• Phone: verify identity, speak quietly in shared spaces, limit voicemail content.
• Text: use approved secure apps; avoid screenshots that might capture other patients’ data.
• Paper: collect printouts immediately, lock storage, and track chain of custody for offsite transport.
• Telehealth: confirm patient location and identity, use HIPAA-appropriate platforms, and prevent screen exposure to bystanders.

Key takeaways

PHI is any individually identifiable health information handled by covered entities or business associates—regardless of whether it is written, verbal, or electronic. When in doubt, apply the minimum necessary rule, use secure channels, and prioritize patient confidentiality at every step.

FAQs.

What information is considered PHI in verbal communication?

Spoken details that identify a patient and relate to health, care, or payment are PHI. Examples include discussing a diagnosis tied to a patient’s name or room number, giving lab results over the phone after verifying identity, or leaving a voicemail that includes medical details. Keep verbal disclosures private and minimal.

How does HIPAA define written PHI?

Written PHI is individually identifiable health information recorded on paper or comparable media—charts, forms, prescriptions, billing statements, faxes, labels, and printed schedules—when maintained or transmitted by a covered entity or business associate. If it can identify a patient and relates to care or payment, treat it as PHI.

Are employee health records protected under PHI?

Employment records held by a covered entity in its role as employer (e.g., HR files) are not PHI under HIPAA, even if they contain health information. However, the same health information in a patient record created for clinical care is PHI. Other laws may still protect employment records.

What are common examples of PHI in patient records?

Names with diagnoses, dates of service, medical record and account numbers, imaging and lab results, prescription details, health plan IDs, contact information, and full-face photos are common PHI elements. When combined with clinical or billing information, these identifiers trigger HIPAA protections.