What Counts as Protected Health Information (PHI) Under HIPAA?

Definition of Protected Health Information

Protected Health Information (PHI) is individually identifiable health information that relates to an individual’s past, present, or future health status, the provision of healthcare, or payment for healthcare services. It must be created or received by a covered entity or a business associate and include data that identifies the person or could reasonably be used to identify them.

PHI exists in any form—paper, oral, or digital—and is governed primarily by the HIPAA Privacy Rule. If information cannot identify a person, either directly or indirectly, it is not PHI. Likewise, some records are expressly outside HIPAA’s scope, as noted below.

Key criteria for PHI

• Relates to health status, care provided, or payment for healthcare services.
• Identifies the individual or can reasonably be used to identify them.
• Is created, received, maintained, or transmitted by a covered entity or business associate.
• Exists in any medium: paper, oral, or electronic protected health information.

What is not PHI

• De-identified data (per HIPAA’s de-identification standards).
• Employment records held by a covered entity in its role as employer.
• Education records covered by FERPA.
• Information about an individual who has been deceased for more than 50 years.

Identifiable Health Information Components

Information becomes PHI when it includes any of HIPAA’s 18 identifiers combined with health details. These identifiers make data individually identifiable health information.

HIPAA’s 18 identifiers

• Names.
• Geographic subdivisions smaller than a state (e.g., street address, city, county, ZIP code).
• All elements of dates (except year) related to an individual (e.g., birth, admission, discharge, death); ages 90+ must be aggregated as 90 or older for de-identification.
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate/license numbers.
• Vehicle identifiers and license plates.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric identifiers (e.g., finger and voice prints).
• Full-face photos and comparable images.
• Any other unique identifying number, characteristic, or code.

De-identification at a glance

HIPAA allows two paths to de-identification: the Safe Harbor method (removing all 18 identifiers, with limited geographic exceptions) and Expert Determination (a qualified expert certifies minimal risk of re-identification). De-identified data is not PHI; a limited data set, however, is still PHI and may be used under a data use agreement.

Covered Entities and Business Associates

A covered entity includes health plans, healthcare clearinghouses, and healthcare providers who transmit standard electronic transactions. These organizations create or receive PHI in the course of delivering care or managing benefits.

A business associate is any person or organization that performs services involving PHI for or on behalf of a covered entity—examples include billing companies, IT vendors, cloud storage providers, and consultants. Business associates (and their subcontractors) must follow HIPAA rules and sign a business associate agreement that defines permitted uses and disclosures.

Forms and Media of PHI

PHI spans all media. Paper records (charts, printouts, mailed bills), spoken information (consultations, voicemails), and electronic protected health information (EHR entries, emails, patient portals, backups, mobile devices, cloud systems) are all covered when tied to an individual.

Consumer-generated health data (e.g., from wellness apps or wearables) is PHI only when a covered entity or business associate creates, receives, maintains, or transmits it in connection with care or payment. The same data may be outside HIPAA if it never touches a covered entity’s or business associate’s systems.

Healthcare and Payment Data Scope

PHI includes three broad categories of content: health status data, details about the provision of healthcare, and information about payment for healthcare services. When identifiable, each of these categories is protected.

Examples by category

• Health status data: diagnoses, lab results, imaging, medications, allergies, clinical notes, mental health information.
• Provision of healthcare: treatment plans, surgical and therapy notes, referrals, care coordination messages, appointment schedules tied to a person.
• Payment for healthcare services: billing statements, claims, authorizations, explanations of benefits, guarantor information, and payer identifiers linked to an individual.

HIPAA Privacy Rule Overview

The HIPAA Privacy Rule sets national standards for how PHI may be used and disclosed. In general, covered entities may use or disclose PHI without authorization for treatment, payment, and healthcare operations, and for certain public interest purposes required or permitted by law.

Minimum necessary and authorizations

Outside of treatment, the minimum necessary standard applies: use, access, and disclose only what is reasonably needed. Uses or disclosures beyond HIPAA-permitted purposes require a valid, written authorization from the individual.

Individual rights

• Access and obtain copies of PHI (including electronic copies when available).
• Request amendments to PHI.
• Receive an accounting of certain disclosures.
• Request restrictions and confidential communications.
• Receive a Notice of Privacy Practices describing uses, rights, and contacts.

Compliance Requirements for PHI Handling

Organizations must establish policies and procedures, conduct risk analyses, and implement administrative, physical, and technical safeguards. Workforce training, sanctions for violations, and documentation are required, with records typically retained for at least six years.

Practical controls to protect PHI

• Role-based access, unique user IDs, and multi-factor authentication.
• Encryption in transit and at rest for electronic protected health information.
• Secure messaging and email; avoid unencrypted SMS for PHI.
• Audit logs, activity monitoring, and regular access reviews.
• Mobile device management, data loss prevention, and secure disposal of media.
• Use de-identification or limited data sets for analytics when possible, applying the minimum necessary standard.
• Execute and manage business associate agreements with all vendors handling PHI.

Breach response essentials

• Detect, contain, and investigate incidents quickly.
• Assess risk (nature of data, who received it, whether it was viewed/acquired, and mitigation taken).
• Provide required notifications to individuals, regulators, and, when applicable, the media.
• Remediate root causes and update safeguards and training.

Conclusion

In HIPAA, PHI is identifiable information about health, care, or payment that is handled by a covered entity or business associate. Knowing the identifiers, where PHI lives, and how the HIPAA Privacy Rule governs use and disclosure helps you apply the minimum necessary, enforce safeguards, and meet compliance obligations consistently.

FAQs.

What information is considered PHI under HIPAA?

PHI is individually identifiable health information related to health status, the provision of healthcare, or payment for healthcare services, created or received by a covered entity or business associate. If it includes any of HIPAA’s identifiers and can identify the person, it is PHI.

How does HIPAA protect electronic PHI?

Electronic PHI is protected through required administrative, physical, and technical safeguards—such as access controls, authentication, audit logging, and encryption—alongside policies, training, and the minimum necessary standard. These measures limit improper use or disclosure and reduce security risks.

Who is responsible for safeguarding PHI?

Covered entities and business associates are directly responsible for protecting PHI, and their workforce members must follow policies and training. Subcontractors that handle PHI on their behalf also share responsibility through business associate agreements.

What types of data are included in PHI?

PHI spans health status data (e.g., diagnoses, labs), information about care delivery (e.g., treatment notes, referrals), and payment-related details (e.g., claims, billing). When any of these are linked to HIPAA identifiers—names, contact information, dates, account numbers, and more—they are protected as PHI.