What Does PHI Include Under HIPAA? A Context‑First Inclusion Test With Exceptions and De‑Identification Rules

Definition of PHI Under HIPAA

The context‑first inclusion test

Under the HIPAA Privacy Rule, protected health information (PHI) is individually identifiable health information that is created or received by a covered entity or its business associate and relates to an individual’s past, present, or future health condition, healthcare, or payment for care. The context in which the data exists is decisive.

• Does the information relate to health, care, or payment?
• Could it identify the individual (directly or indirectly)?
• Is it created, received, maintained, or transmitted by a covered entity or business associate?

If all three answers are yes, you are handling PHI. If any answer is no—especially the covered‑entity context—the same facts may fall outside HIPAA.

Who is a covered entity?

Covered entities include health plans, most healthcare providers that conduct standard electronic transactions, and healthcare clearinghouses. Business associates process PHI for covered entities. When these parties touch identifiable health data, HIPAA applies.

PHI and the Designated Record Set

Many PHI use and access rights attach to the Designated Record Set—records used to make decisions about individuals (for example, medical records and billing records). PHI is broader than the Designated Record Set, but that set is central to access, amendment, and accounting workflows.

Quick examples

• Lab results stored in an EHR with a medical record number: PHI.
• Heart‑rate data in a consumer app with no connection to a covered entity: not PHI.
• The same app, deployed by a hospital under a business associate agreement: PHI.

Identifiers Included in PHI

When linked to health information in a covered‑entity context, the following identifiers make data PHI. Removing them is central to de‑identification strategies.

• Names.
• Geographic subdivisions smaller than a state (street, city, county, precinct, and ZIP code; the first 3 ZIP digits may be used only if the combined area has over 20,000 people—otherwise use 000).
• All elements of dates (except year) related to an individual (birth, admission, discharge, death) and all ages over 89, unless aggregated as 90 or older.
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health Plan Beneficiary Number.
• Account numbers.
• Certificate or license numbers.
• Vehicle identifiers and serial numbers, including license plates.
• Device identifiers and serial numbers.
• Web URLs (Uniform Resource Locators).
• IP address numbers.
• Biometric Identifiers (for example, fingerprints, voiceprints, retinal or iris scans).
• Full‑face photographs and comparable images.
• Any other Unique Identifying Codes, numbers, characteristics, or combinations that could identify the person.

Note that even a single identifier—like a patient roster of names at a clinic—can be PHI because the context reveals a relationship to healthcare.

Exceptions to PHI Coverage

Information that is not PHI under HIPAA

• De‑identified information (meeting HIPAA de‑identification standards).
• Employment records held by a covered entity in its role as employer.
• Education records covered by FERPA and certain student treatment records maintained by schools.
• Information about a person deceased for more than 50 years.
• Consumer health data collected by entities that are not covered entities or business associates (for example, many direct‑to‑consumer apps without a HIPAA nexus).
• Aggregated statistics that cannot identify an individual.

Clarifications

• A Limited Data Set is still PHI (with fewer identifiers) and requires a data use agreement; it is not a full exception.
• State privacy laws and other federal rules may still apply even when HIPAA does not.

De-Identification Standards

Two De‑Identification Methods under the HIPAA Privacy Rule

• Safe Harbor: Remove the 18 identifiers listed above and have no actual knowledge that the individual could be identified. Dates must be generalized (for example, year only), and geographic details must follow the ZIP‑code rule.
• Expert Determination: A qualified expert applies accepted statistical and scientific principles to determine and document that the risk of re‑identification is very small. This path allows nuanced techniques beyond Safe Harbor.

Re‑identification controls

• You may assign a code to re‑identify records later, but it cannot be derived from the data about the individual, and you must not disclose the code or re‑identification mechanism.
• Limited Data Sets permit certain elements (for example, dates and broader geography) for research, public health, and healthcare operations with a data use agreement.

Practical De‑Identification Methods

• Generalize or bin dates and ages; suppress small‑cell counts.
• Mask or tokenise direct identifiers; hash with salting for internal linkage.
• Review free‑text for embedded identifiers and Biometric Identifiers in images or audio.
• Validate outputs with expert review and re‑identification testing.

Importance of PHI Compliance

Strong PHI governance safeguards patients, reduces legal and financial risk, and enables responsible data use. You uphold the Minimum Necessary Standard, document uses and disclosures, and respect patient rights tied to the Designated Record Set (access, amendment, and accounting).

• Trust and reputation: transparent privacy practices increase patient engagement and data quality.
• Operational resilience: clear policies, access controls, and audit trails reduce breach likelihood and speed response.
• Strategic value: compliant De‑Identification Methods unlock research and analytics without exposing individuals.

Impact of PHI on Healthcare Operations

Workflows and data flows

• Treatment, Payment, and Healthcare Operations (TPO) uses allow many routine exchanges of PHI without patient authorization, but you still apply minimum‑necessary controls for non‑treatment uses.
• Define and maintain your Designated Record Set to streamline Release of Information (ROI) and patient access.

Technology and vendors

• Map systems that store or transmit PHI (EHRs, patient portals, imaging, claims, telehealth) and enforce role‑based access with audit logging and break‑glass rules.
• Sign business associate agreements with cloud, analytics, revenue cycle, and messaging vendors; manage downstream subcontractors.

Analytics and quality improvement

• Use Limited Data Sets or fully de‑identified datasets to support population health, quality metrics, and cost‑of‑care initiatives.
• Apply data retention and disposal schedules that respect clinical, legal, and operational needs.

Legal Implications of PHI Misuse

Enforcement and penalties

• Civil monetary penalties follow a four‑tier framework (ranging from lack of knowledge to willful neglect not corrected) and can scale significantly with violation counts and duration.
• Criminal penalties apply for knowing misuse of PHI, with higher penalties for false pretenses and for use or disclosure for commercial advantage, personal gain, or malicious harm.
• State attorneys general can bring actions, and parallel state privacy or data‑breach statutes may also apply.
• Breach notification obligations trigger individual notices, potential media notice for larger incidents, and reporting to regulators.
• Contractual exposure includes business associate agreement remedies, indemnities, and termination rights.

Bottom line: treat PHI as context‑bound, identify the relevant exceptions, and use robust de‑identification where appropriate. Doing so fulfills the HIPAA Privacy Rule, protects individuals, and enables sustainable, compliant data use across care, payment, and operations.

FAQs.

What types of information are considered PHI under HIPAA?

PHI is any individually identifiable health information held by a covered entity or business associate that relates to an individual’s health status, care provided, or payment. It spans all media—paper, electronic, and oral—and includes clinical notes, lab results, claims, prescriptions, appointment logs, images, and patient communications when identifiable through the 18 identifiers (such as a medical record number or Health Plan Beneficiary Number).

What are the key exceptions to what constitutes PHI?

PHI does not include de‑identified data, employment records held by an employer, FERPA‑covered education records, information about individuals deceased more than 50 years, and data collected by entities that are not covered entities or business associates (for example, many consumer apps without a HIPAA connection). Remember, a Limited Data Set is still PHI and requires a data use agreement.

How is de-identified health information treated under HIPAA?

Once data meet HIPAA de‑identification standards—via Safe Harbor (removing the 18 identifiers) or Expert Determination showing very small re‑identification risk—it is no longer regulated as PHI. You may use a non‑derivable code for internal re‑identification, and you must protect that key. Limited Data Sets permit certain fields (like dates and broader geography) under a data use agreement but remain PHI.

What are the risks of non-compliance with PHI regulations?

Risks include substantial civil penalties under the four‑tier framework, potential criminal liability for egregious misuse, mandatory breach notifications with remediation costs, contractual damages under business associate agreements, and loss of patient trust. Effective governance, clear policies, and sound De‑Identification Methods reduce these risks while supporting care delivery and analytics.