What Information Does HIPAA Protect? A Practical Decision Tree to Identify PHI vs. Non‑PHI

Defining Protected Health Information

Under HIPAA, protected health information (PHI) is individually identifiable health information created or received by a covered entity or its business associate that relates to a person’s health status, health care, or payment for health care. PHI can exist in any form—electronic, paper, or oral—and is central to health information privacy.

Covered entities include health plans, most health care providers, and health care clearinghouses. Business associates are vendors that handle PHI on behalf of a covered entity. When either group can link health status data to a person, HIPAA’s safeguards apply.

Typical PHI examples include medical records, lab results tied to a patient, appointment schedules containing names, and billing files. If data cannot identify an individual, or is truly de-identified, it falls outside PHI. This distinction drives every PHI risk assessment and your HIPAA compliance criteria.

Evaluating Health-Related Data

Start by confirming that the data concerns health. HIPAA covers information about physical or mental health conditions, the provision of care, and health care payment data. That includes clinical measurements, diagnoses, prescriptions, images, device readings, and derived indicators such as risk scores or care gaps—when linkable to a person.

Context matters. The same data element can be PHI in one setting and not in another. A glucose value associated with a patient chart is PHI; the same value presented as an aggregated benchmark without identifiers is not. Keep the use case front and center to maintain health status data protection.

Common inclusions

• Clinical data: vitals, lab values, imaging reports, problem lists, care plans.
• Operational data: appointment times, provider notes, referrals, prior authorizations.
• Payment data: claim lines, coverage details, subscriber numbers, remittance advice.

Common exclusions

• De-identified datasets meeting HIPAA’s standards.
• Employment records held by a covered entity in its role as employer.
• Education records protected by FERPA.
• Consumer-generated wellness data held by apps that are not acting for a covered entity or business associate (other laws may still apply).

Assessing Identification Potential

Next, determine whether the data is individually identifiable. Information identifies a person if it directly names them or if there is a reasonable basis to believe the person could be identified from the data alone or in combination with other information. Patient identity safeguards aim to reduce that re-identification risk.

The 18 direct identifiers under HIPAA’s Safe Harbor

• Names.
• Geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code and equivalent), with limited ZIP exceptions.
• All elements of dates (except year) related to an individual (e.g., birth, admission, discharge, death); ages over 89 and related dates, except in a single 90+ category.
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate/license numbers.
• Vehicle identifiers and serial numbers, including license plates.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric identifiers (e.g., fingerprints, voice prints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code.

De-identification options

• Safe Harbor: remove all 18 identifiers and ensure no actual knowledge of re-identification risk.
• Expert Determination: a qualified expert applies accepted methods to conclude the risk is very small and documents the process.

A limited data set (LDS) removes direct identifiers but may retain certain dates and general locations (city, state, ZIP). An LDS requires a data use agreement and remains regulated; it is not fully de-identified.

Applying the PHI Decision Tree

Step 1 — Who holds or created the data?

Is the data created, received, maintained, or transmitted by a covered entity or business associate? If no, HIPAA may not apply; proceed cautiously because other laws can still govern.

Step 2 — Is the content health-related?

Does it describe health status, care delivery, or payment for care? If not, it is likely Non‑PHI. If yes, continue.

Step 3 — Can an individual be identified?

Does the dataset contain direct identifiers, unique combinations, or small-cell details that reasonably identify a person? If yes, it is PHI. If identification is not reasonably possible, continue.

Step 4 — Was de-identification applied?

• If Safe Harbor or Expert Determination standards are met, treat the data as Non‑PHI.
• If it is a Limited Data Set, apply the DUA and HIPAA requirements accordingly.

Step 5 — Classify and act

• PHI: apply HIPAA compliance criteria (privacy, security, breach notification) and minimum necessary standards.
• Non‑PHI: manage responsibly; consider contracts and other privacy laws, but HIPAA may not govern.

Differentiating PHI from Non-PHI

PHI examples

• Pathology report with patient name and date of service.
• Appointment schedule tied to phone numbers or emails.
• EOBs and claims containing subscriber IDs and diagnosis codes.
• Device telemetry linked to a medical record number.

Non-PHI examples

• Aggregated quality metrics with no individual-level detail.
• De-identified datasets meeting Safe Harbor or Expert Determination.
• Employment records kept by a hospital’s HR department.
• Education records covered by FERPA.

Ambiguities are common. When in doubt, conduct a documented PHI risk assessment that examines identifiability, data linkages, recipient context, and plausible re-identification pathways.

Understanding Health Care Payment Information

Payment information is PHI when it relates to health care payment for a specific person and is handled by a covered entity or business associate. Typical health care payment data includes claim forms, billing statements, prior authorization details, remittance advice, and subscriber or group plan identifiers tied to an individual.

Distinguish between general payment tools and health payment context. A standalone credit card number collected by a hospital’s gift shop is not PHI (though it is protected by payment security standards). The same card number embedded in a patient billing record that itemizes medical services becomes part of PHI because it links to the person and their care.

Apply the minimum necessary principle to payment workflows. Limit access to staff who need it, mask or tokenize sensitive fields when feasible, and implement patient identity safeguards to prevent mis-posting or cross-account errors.

Ensuring Compliance with HIPAA Guidelines

Effective compliance aligns people, process, and technology. Start with a recurring PHI risk assessment that inventories data, maps flows, classifies identifiability, and evaluates threats across the data lifecycle—from collection and use to storage, sharing, and disposal.

Core HIPAA compliance criteria

• Administrative safeguards: risk analysis, policies and procedures, workforce training, sanctions, contingency plans, and vendor management with business associate agreements.
• Physical safeguards: facility access controls, device/media controls, and secure disposal.
• Technical safeguards: unique user access, multi-factor authentication, role-based permissions, encryption in transit and at rest, audit controls, and integrity monitoring.

Operational best practices

• Apply the minimum necessary standard to uses, disclosures, and queries.
• Segment PHI from Non‑PHI; use data tokenization and pseudonymization where appropriate.
• Establish data retention schedules and secure destruction processes.
• Test incident response and breach notification procedures regularly.
• Monitor logs for anomalous access; review patient access requests promptly and accurately.

Summary: To decide what information HIPAA protects, verify the holder (covered entity/BA), confirm the health-related purpose, and assess identifiability. If health data can be linked to a person, it is PHI and must be safeguarded; if properly de-identified, it is Non‑PHI. Consistent application of this decision tree, combined with strong patient identity safeguards and ongoing risk assessments, keeps your program compliant and trustworthy.

FAQs

What types of information qualify as PHI under HIPAA?

PHI includes any individually identifiable health information about a person’s past, present, or future health status, health care, or payment for that care when handled by a covered entity or business associate. It spans clinical details (diagnoses, labs), administrative data (appointments, referrals), and financial records (claims, EOBs) when linked to the individual.

How can one determine if data is individually identifiable?

Ask whether the data directly contains an identifier (such as a name or medical record number) or whether a reasonable person could re-identify the individual using the data alone or with other accessible information. If yes, it is individually identifiable health information. Removal of HIPAA’s 18 identifiers or an expert’s documented determination can render data de-identified.

Does HIPAA protect mental health information?

Yes. Mental and behavioral health information is PHI when identifiable and held by a covered entity or business associate. Psychotherapy notes receive additional protections, and disclosures typically require specific authorization beyond standard treatment, payment, and health care operations exceptions.

How is payment information treated under HIPAA?

Payment information is PHI when it documents or supports payment for an individual’s health care by a covered entity or business associate—for example, claim numbers, subscriber IDs, remittance details, or itemized bills. General payment card data outside the health care context is not PHI, though other security and privacy requirements still apply.