What Does HIPAA Protect? PHI in Any Format—Oral, Paper, and Electronic

HIPAA protects protected health information (PHI) wherever it lives or travels—spoken in a clinic, printed on paper, or stored and transmitted electronically. If you handle patient data, understanding what HIPAA covers and how to safeguard it is essential for compliance and patient trust.

HIPAA Privacy Rule Scope

The HIPAA Privacy Rule governs how covered entities—health plans, healthcare clearinghouses, and most healthcare providers—and their business associates use and disclose PHI. It applies to PHI in any format: oral, paper, and electronic (ePHI).

Use and disclosure are permitted without authorization for treatment, payment, and healthcare operations (TPO), certain public-interest purposes, and when required by law. For most other uses and disclosures, you need a valid, written authorization from the individual.

HIPAA’s minimum necessary standard requires you to limit PHI to the least amount needed to accomplish the task, except for treatment, disclosures to the individual, or where otherwise exempt. Business associate agreements extend Privacy Rule obligations to vendors who handle PHI on your behalf.

Definition of Protected Health Information

PHI is Individually Identifiable Health Information that relates to a person’s past, present, or future physical or mental health or condition, the care provided, or payment for that care, when held or transmitted by a covered entity or business associate. “Individually identifiable” means the data can identify the person or there is a reasonable basis to believe it can.

Common identifiers that make information PHI

• Names and contact details (addresses, phone numbers, email addresses)
• Geographic details smaller than a state and most ZIP codes
• Dates directly related to an individual (birth, admission, discharge, death; ages over 89)
• Social Security, medical record, and health plan beneficiary numbers
• Account, certificate, and license numbers
• Vehicle and device identifiers and serial numbers
• Web URLs and IP addresses
• Biometric identifiers (fingerprints, voiceprints)
• Full-face photos and comparable images
• Any other unique identifying number, characteristic, or code

Safeguards for PHI

Administrative Safeguards

Conduct a risk analysis, assign a privacy and security official, implement policies and workforce training, manage vendor risk with business associate agreements, and apply sanctions for violations. Regular audits and contingency planning help sustain compliance.

Physical Safeguards

Control facility access, secure workstations, and protect devices and media. Use locked areas, screen privacy, device encryption at rest where feasible, and documented processes for disposal and re-use of hardware that may contain PHI.

Technical Safeguards

Enforce unique user access, role-based permissions, and multi-factor authentication where appropriate. Maintain audit logs, integrity controls, and transmission security (such as encryption in transit) to protect electronic PHI under the Security Rule’s Technical Safeguards.

Breach Response

Have procedures to detect, investigate, mitigate, and report incidents. If unsecured PHI is breached, notify affected individuals and regulators as required by the Breach Notification Rule, and document actions taken to prevent recurrence.

Individual Rights under HIPAA

• Access and obtain copies of PHI in the requested form and format when readily producible, generally within 30 days (one 30‑day extension permitted).
• Request amendments to PHI; if denied, receive a written explanation and the right to submit a statement of disagreement.
• Receive an Accounting of Disclosures of PHI for the prior six years (with specified exceptions), typically within 60 days (one 30‑day extension permitted).
• Request restrictions on certain uses/disclosures; a provider must honor a restriction to a health plan when the individual pays out-of-pocket in full for the service and it is practicable to do so.
• Request confidential communications (for example, alternate addresses or secure email) and receive a Notice of Privacy Practices explaining how PHI is used and your rights.
• File complaints without retaliation if you believe privacy rights were violated.

Documentation of Disclosures

Maintain records necessary to produce an accurate Accounting of Disclosures. Track disclosures that require accounting—such as certain public health, law enforcement, health oversight, and research disclosures made without authorization—and exclude those that do not (for example, TPO and disclosures to the individual).

Each entry should include the date, recipient, a brief description of the PHI disclosed, and the purpose or legal basis. For recurring disclosures to the same recipient for a single purpose, summarize the frequency and range of dates.

Respond to accounting requests within 60 days (one 30‑day extension permitted). Provide the first accounting in any 12‑month period at no charge; reasonable, cost‑based fees may apply to additional requests. Retain related policies, logs, authorizations, and notices for at least six years.

Exclusions from HIPAA

De-identified Health Information is not PHI. You can de‑identify data by removing specified identifiers (safe harbor) or through expert determination that the risk of re‑identification is very small. A limited data set—PHI stripped of direct identifiers—may be used for research, public health, or operations under a data use agreement.

HIPAA also excludes certain records and entities. Education records and some student treatment records covered by FERPA, and employment records held by a covered entity in its role as employer, are not PHI. HIPAA protects a decedent’s PHI for 50 years after death; beyond that, the data is no longer PHI.

Consumer health apps, wearables, and services that are not covered entities or business associates generally fall outside HIPAA, though other laws may apply. Always verify whether the organization handling the data is subject to HIPAA before sharing PHI.

Bottom line: HIPAA protects PHI in any format by defining what counts as Individually Identifiable Health Information, limiting when it may be used or disclosed, and requiring Administrative, Physical, and Technical Safeguards—paired with strong individual rights and documentation duties.

FAQs

What types of information are protected under HIPAA?

HIPAA protects PHI—any Individually Identifiable Health Information related to health, care, or payment—when held or transmitted by a covered entity or business associate. It includes identifiers such as names, contact details, medical record numbers, and images, across oral, paper, and electronic formats.

How does HIPAA protect electronic health information?

Electronic PHI is safeguarded by the Security Rule’s Administrative, Physical, and Technical Safeguards. Practical measures include role-based access, multi-factor authentication, audit logging, encryption in transit (and at rest where appropriate), device/media controls, workforce training, and documented incident response.

What rights do individuals have under HIPAA?

You have rights to access and receive copies of your PHI, request amendments, obtain an Accounting of Disclosures, ask for restrictions and confidential communications, receive a Notice of Privacy Practices, and file complaints without retaliation. Deadlines typically include 30 days for access and 60 days for accounting.

When does HIPAA not apply to health information?

HIPAA does not apply to De-identified Health Information, FERPA-covered education records, certain employment records, and data held by entities that are not covered entities or business associates. PHI of a person deceased more than 50 years is also outside HIPAA’s scope.