What Information Is Protected Under HIPAA? PHI Explained with Examples

Definition of Protected Health Information

Protected Health Information (PHI) is any individually identifiable health information that relates to a person’s past, present, or future physical or mental health or condition, the provision of health care, or payment for health care. It identifies the individual—or could reasonably be used to identify the individual—and is created or received by Covered Entities or their Business Associates.

Under the HIPAA Privacy Rule, PHI can exist in any form or medium: electronic, paper, or oral. HIPAA was enacted to balance health information portability with strong privacy protections, ensuring you can receive care and have your information shared appropriately without sacrificing confidentiality.

Forms of PHI

PHI is not limited to clinical notes. It appears wherever health information and Patient Identifiers intersect. Common forms include:

• Electronic PHI (ePHI): EHR entries, patient portals, billing systems, imaging files, lab results, e-prescriptions, and claims data.
• Paper PHI: printed charts, referral letters, consent forms, encounter sheets, and mailed statements.
• Oral PHI: spoken exchanges during care, phone calls with patients or plans, and recorded voicemails.
• Derived data: scheduling metadata, utilization reports, quality dashboards, audit logs, and backups that still reference identifiable patients.

If the information can identify a person and concerns health care or payment, treat it as PHI regardless of format.

Examples of PHI Identifiers

HIPAA’s Safe Harbor method lists specific Patient Identifiers that, when present with health information, make it PHI. Removing these reduces re-identification risk:

• Names.
• Geographic details smaller than a state (street address, city, county, precinct, ZIP code; limited three-digit ZIP codes may remain only where population thresholds are met).
• All elements of dates (except year) directly related to an individual, including birth, admission, discharge, and death; ages over 89 must be aggregated as 90+.
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate or license numbers.
• Vehicle identifiers and serial numbers, including license plates.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric identifiers (for example, fingerprints or voiceprints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code.

Exclusions from PHI

Not all health-related information is PHI. Key exclusions include:

• De-identified data that meets HIPAA De-identification Standards.
• Education records covered by FERPA.
• Employment records held by a Covered Entity in its role as employer (for example, FMLA paperwork in HR files).
• Information about a person deceased for more than 50 years.
• Consumer health information maintained by entities that are not Covered Entities or Business Associates (such as certain wellness apps), though other laws may still apply.

Note that a HIPAA “limited data set” is not fully de-identified and remains PHI subject to a data use agreement.

De-identified Data Standards

HIPAA recognizes two paths to de-identification, both designed to minimize the risk that a person could be re-identified from the data.

Safe Harbor

• Remove all 18 direct identifiers about the individual, relatives, employers, or household members.
• Have no actual knowledge that remaining information could identify the individual (alone or in combination).

Expert Determination

• A qualified expert applies accepted statistical or scientific methods to determine that re-identification risk is very small.
• The expert documents methods, assumptions, and results to justify the determination.

Limited Data Set (LDS)

An LDS removes direct identifiers but may retain certain elements (for example, city, state, ZIP code, and full dates). It is still PHI and may be used for research, public health, or health care operations under a data use agreement.

HIPAA Compliance Requirements

Compliance centers on who handles PHI and how. Covered Entities include health care providers that conduct standard electronic transactions, health plans, and health care clearinghouses. Business Associates are vendors or partners that create, receive, maintain, or transmit PHI for Covered Entities (for example, cloud hosts, billing companies, telehealth platforms).

Privacy Rule essentials

• Use and disclosure: permitted for treatment, payment, and health care operations; other uses generally require patient authorization.
• Minimum necessary: access, use, and disclose only what’s needed.
• Patient rights: access, obtain copies, request amendments, request restrictions, receive an accounting of disclosures, and ask for confidential communications.
• Notice of Privacy Practices: tell patients how you use and protect their information.

Security Rule safeguards for ePHI

• Administrative: risk analysis, workforce training, policies, contingency planning.
• Physical: facility access controls, device and media controls, secure disposal.
• Technical: unique user IDs, access controls, audit logs, integrity checks, encryption in transit and at rest where reasonable and appropriate.

Breach Notification and vendor management

• Breach response: investigate, mitigate, and notify affected individuals and authorities as required.
• Business Associate Agreements (BAAs): define permitted uses, safeguards, breach duties, and subcontractor flow-downs.

Handling and Protecting PHI

Practical safeguards

• Map your PHI: inventory systems, data flows, and third parties to control where PHI lives.
• Apply least-privilege access with strong authentication and timely offboarding.
• Encrypt data in transit and at rest; secure messaging and patient portals for communications.
• Harden endpoints and mobile devices; use remote wipe and screen-lock policies.
• Monitor with audit logs, alerts, and data loss prevention; review logs routinely.
• Train your workforce on the HIPAA Privacy Rule, Security Rule, and incident reporting.
• Adopt clear policies for telehealth, BYOD, remote work, and media disposal.
• Vet vendors, execute BAAs, and validate their safeguards regularly.
• Honor patient access and amendment requests promptly, supporting health information portability without compromising privacy.

Conclusion

PHI covers any identifiable health information handled by Covered Entities or Business Associates, regardless of format. Knowing the forms of PHI, the specific identifiers, and the exclusions helps you apply HIPAA’s De-identification Standards and core compliance duties. With sound policies, layered security, and vendor diligence, you can protect privacy while enabling safe, efficient care.

FAQs

What types of information are included in PHI?

PHI includes any identifiable health information about a person’s condition, care, or payment—such as diagnoses, test results, treatment notes, claims, billing details, and communications—when paired with Patient Identifiers like names, addresses, or account numbers, in electronic, paper, or oral form.

How does HIPAA define covered entities?

Covered Entities are health care providers that conduct standard electronic transactions (for example, e-billing), health plans (insurers and group plans), and health care clearinghouses. They may rely on Business Associates to handle PHI but remain responsible for overall compliance.

What information is excluded from PHI?

Excluded are de-identified data, education records under FERPA, employment records held by a Covered Entity as an employer, information about individuals deceased for more than 50 years, and health data maintained solely by entities that are not Covered Entities or Business Associates.

How is data de-identified under HIPAA?

There are two methods: Safe Harbor, which removes 18 specified identifiers with no actual knowledge of identifiability, and Expert Determination, where a qualified expert documents that re-identification risk is very small using accepted statistical techniques.