What Information Is Protected by HIPAA? Exactly What Counts as PHI (and What Doesn’t)

Definition of Protected Health Information

Protected Health Information (PHI) is individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or its business associates. It relates to a person’s past, present, or future physical or mental health or condition, the provision of health care, or payment for care—and it either identifies the individual or could reasonably be used to identify them.

PHI can exist in any medium: electronic, paper, or oral. When PHI is maintained electronically—such as within Electronic Health Records—it is called electronic PHI (ePHI). The HIPAA Privacy Rule sets the standards for how PHI may be used and disclosed to protect patient confidentiality.

What makes information PHI

• It includes health-related details tied to an identifiable person.
• It is handled by covered entities (health plans, most health care providers, and health care clearinghouses) or their business associates.
• It is reasonably linkable to an individual directly or indirectly.

The 18 HIPAA Identifiers

PHI is health information combined with one or more of the following identifiers. Removing these identifiers (via the Safe Harbor method) is a common path toward de-identified data.

1. Names.
2. Geographic subdivisions smaller than a state (for example, street address, city, county, and ZIP code; limited exceptions exist for certain three-digit ZIP codes under Safe Harbor).
3. All elements of dates (except year) related to an individual (for example, birth date, admission, discharge, death), and all ages over 89 (and related date elements) unless aggregated into a single 90+ category.
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plates.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP addresses.
16. Biometric identifiers (for example, finger and voice prints).
17. Full-face photographic images and comparable images.
18. Any other unique identifying number, characteristic, or code (except as permitted for re-identification by the same covered entity).

Forms of PHI

Electronic (ePHI)

ePHI includes data in Electronic Health Records, patient portals, billing systems, claims files, imaging archives, lab information systems, email, secure messaging, mobile devices, and cloud storage. Audit logs, metadata, and backups that can be tied to a patient also qualify.

Paper

Paper medical charts, registration forms, referrals, printed lab results, mailed statements, and other documents that contain health information plus any HIPAA identifier are PHI.

Oral and visual

Spoken information—such as hallway conversations about a patient, voicemails, or telemedicine sessions—is PHI. So are images, audio, and video that identify a patient or show health details (for example, full-face photos associated with diagnoses).

Context matters

The same data element may or may not be PHI depending on who holds it and why. For example, step counts in a fitness app are generally not PHI unless the app is acting as a business associate to a covered entity for health care purposes.

Data Excluded from PHI

• De-identified data: Health information that has been de-identified via Safe Harbor (removing all 18 identifiers) or expert determination so that re-identification is not reasonably likely.
• Employment records: Information a covered entity holds in its role as an employer (for example, FMLA paperwork, workplace injury logs) is not PHI.
• Education and student treatment records: Records covered by FERPA are outside HIPAA.
• Data held by non‑covered entities not acting as business associates: Most consumer health apps, wearables, and personal trackers are not subject to HIPAA unless they provide services on behalf of a covered entity.
• Information about a person deceased for more than 50 years: After that period, the information is no longer PHI.

Important nuance

A limited data set (which excludes most direct identifiers but may retain some, like dates and certain geography) is still PHI and requires a data use agreement; it is not fully de-identified.

Importance of PHI Compliance

Protecting PHI upholds patient confidentiality, sustains trust, and reduces legal, financial, and reputational risk. Strong privacy practices also improve data quality and enable responsible data sharing for treatment, payment, and health care operations.

Practical essentials

• Limit uses and disclosures to the minimum necessary.
• Implement access controls, encryption, and audit logging for ePHI.
• Train your workforce on the HIPAA Privacy Rule and Security Rule basics.
• Sign and manage business associate agreements with vendors that handle PHI.
• Maintain clear policies for patient rights, breach response, and retention.

HIPAA Privacy Rule Overview

Who must comply

Covered entities include health plans, most health care providers that conduct standard electronic transactions, and health care clearinghouses. Business associates are service providers that create, receive, maintain, or transmit PHI on a covered entity’s behalf, and their subcontractors must also comply.

Permitted uses and disclosures

Without patient authorization, PHI may be used or disclosed for treatment, payment, and health care operations; certain public health, legal, and oversight activities; and other limited purposes defined by the HIPAA Privacy Rule. Many other uses require written authorization.

Minimum necessary and patient rights

Covered entities must apply the minimum necessary standard and honor individual rights, including access to records, amendments, an accounting of disclosures, request for restrictions, and confidential communications.

De-identified data

Once data are de-identified under HIPAA, they are not PHI and fall outside the Privacy Rule, though other laws and ethical obligations may still apply.

Enforcement of PHI Protections

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) enforces the HIPAA Privacy Rule. OCR investigates complaints and breach reports, conducts compliance reviews, and can impose corrective action plans, monitoring, and civil money penalties with tiered ranges based on culpability. The Department of Justice may pursue criminal penalties for certain knowing, wrongful disclosures. State attorneys general can also bring actions under HIPAA and state privacy laws.

Incident response and breach notification

Covered entities and business associates must investigate suspected incidents, mitigate harm, document findings, and provide required breach notifications to affected individuals, regulators, and in some cases the media, within prescribed time frames. Robust risk analyses, vendor oversight, and workforce training are key to preventing breaches.

Conclusion

PHI is any identifiable health information handled by covered entities or business associates. Understanding the 18 identifiers, recognizing all forms of PHI, and knowing what falls outside HIPAA—such as de-identified data—helps you apply the HIPAA Privacy Rule correctly, protect patient confidentiality, and maintain compliance.

FAQs.

What types of information are considered PHI under HIPAA?

PHI includes any health-related information that can identify an individual and is created or received by a covered entity or business associate. Examples include data in Electronic Health Records, claims and billing details, lab and imaging results, care notes, and communications that contain one or more of the 18 HIPAA identifiers.

How is de-identified data treated under HIPAA?

Once data are de-identified using either the Safe Harbor method (removing all 18 identifiers) or expert determination showing very small re-identification risk, they are no longer PHI and are not regulated by the HIPAA Privacy Rule. A limited data set, however, is still PHI and requires a data use agreement.

Who must comply with HIPAA regulations?

Covered entities—health plans, most health care providers that conduct standard electronic transactions, and health care clearinghouses—must comply, as do their business associates and applicable subcontractors that create, receive, maintain, or transmit PHI on their behalf.

What are the penalties for PHI breaches?

OCR can require corrective action plans and impose civil money penalties that scale by culpability (from lack of knowledge to willful neglect), with per‑violation amounts and annual caps adjusted periodically. Serious violations can also trigger Department of Justice criminal enforcement, and state attorneys general may bring additional actions under HIPAA or state law.