What Information the HIPAA Privacy Rule Protects: PHI Explained for Organizations

Definition of Individually Identifiable Health Information

The HIPAA Privacy Rule protects protected health information (PHI), which is individually identifiable health information created, received, maintained, or transmitted by covered entities or their business associates. Information becomes PHI when it relates to a person’s health, care, or payment for care and can identify the individual directly or indirectly.

Individually Identifiable Health Information includes any health-related data tied to one or more identifiers. HIPAA’s “safe harbor” lists 18 identifiers that, when present with health information, render it PHI:

• Names
• Geographic details smaller than a state (street address, city, county, ZIP code with limited exceptions)
• All elements of dates (except year) related to an individual; ages over 89
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate or license numbers
• Vehicle identifiers and serial numbers, including license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (for example, fingerprints or voiceprints)
• Full-face photos and comparable images
• Any other unique identifying code, number, or characteristic

Types of Protected Health Information

PHI spans clinical, administrative, and financial content. If the information relates to an individual’s health, care, or payment and includes an identifier, treat it as PHI to maintain Health Information Privacy and HIPAA Compliance.

• Clinical data: diagnoses, progress notes, lab results, imaging, care plans, prescriptions, immunizations, and problem lists.
• Administrative and payment data: claims, authorizations, Explanation of Benefits, billing statements, eligibility and enrollment records.
• Demographic and contact details tied to care: address, date of birth, next-of-kin where linked to the patient’s record.
• Identifiers and codes: medical record numbers, account numbers, device serials, plan IDs.
• Media and biometrics: photographs, video, audio, voiceprints, fingerprints, and genomic or other biometric indicators when identifiable.
• Communications and metadata: appointment reminders, portal messages, call logs, voicemail containing patient-specific details.

If none of the 18 identifiers are present and the data cannot reasonably identify an individual, it may be de-identified. A limited data set, however, still counts as PHI and requires a data use agreement for specific purposes.

Forms of PHI: Electronic Paper and Oral

The Privacy Rule protects PHI in any form—electronic, paper, or oral. The Security Rule specifically governs electronic PHI (ePHI), but your obligations to limit uses and disclosures and apply the minimum necessary standard apply to all forms.

• Electronic: EHRs, patient portals, emails, texts, scanned documents, telehealth recordings, backups, and logs.
• Paper: registration forms, printed results, prescriptions, encounter summaries, superbills, routing sheets, and faxes.
• Oral: conversations at a nurse’s station, case discussions, handoffs, and voicemails that include patient identifiers.

Use reasonable safeguards across formats—verify recipients, apply role-based access, avoid discussing PHI in public spaces, and secure documents and devices.

Exclusions from PHI Coverage

Not all health-related information is PHI. The following categories fall outside PHI coverage under the HIPAA Privacy Rule:

• De-identified information: data stripped of all 18 identifiers under safe harbor or deemed de-identified by expert determination.
• Employment records held by a covered entity in its role as employer (for example, FMLA documents, pre-employment physicals kept in the HR file).
• Education records and treatment records covered by FERPA.
• Information about individuals deceased for more than 50 years.
• Health information maintained by entities that are not covered entities or business associates and not acting on their behalf (for example, consumer health apps storing data solely for the user’s purposes).
• Aggregated statistics with no reasonable basis to identify an individual.

Note: A limited data set is not fully de-identified and remains PHI, but it may be used or disclosed for research, public health, or health care operations under a data use agreement.

Individual Rights Under the HIPAA Privacy Rule

Individuals—your patients and plan members—have specific Patient Rights you must operationalize and honor. Build clear workflows, train staff, and track deadlines to ensure compliance.

• Right of access: obtain copies of their designated record set, generally within 30 days, in the requested form and format if readily producible (including electronic).
• Right to direct a copy to a third party: upon a clear, signed request identifying the recipient and destination.
• Right to request amendment: correct or clarify PHI; if denied, provide a written denial and allow a statement of disagreement.
• Right to an accounting of disclosures: receive an Accounting of Disclosures for certain disclosures not related to treatment, payment, or health care operations.
• Right to request restrictions: ask you to limit certain uses or disclosures; you must honor requests to restrict disclosures to a health plan for a specific item or service paid in full out-of-pocket.
• Right to request confidential communications: receive PHI through alternative addresses, numbers, or channels when reasonable.
• Right to receive a Notice of Privacy Practices and to file a privacy complaint without retaliation.

Importance of PHI Protection for Covered Entities

Strong PHI protection earns patient trust, supports Health Information Privacy, and demonstrates your commitment to ethical care. Patients are more likely to share complete information when they believe you will protect it.

Effective safeguards reduce legal, financial, and reputational risk. Breaches can trigger investigations, remediation costs, and corrective action plans. Consistent HIPAA Compliance streamlines audits and improves operational discipline across your organization.

Protecting PHI enables secure data sharing for treatment and care coordination, strengthening outcomes while respecting Patient Rights.

Compliance Obligations for Organizations

• Governance: designate privacy and security officers; define scope, roles, and decision rights for Covered Entities and business associates.
• Data inventory: map where PHI and ePHI reside and flow, including vendors, devices, applications, and backups.
• Policies and procedures: implement minimum necessary, role-based access, verification, disclosures, retention, and secure disposal standards.
• Workforce training and sanctions: provide initial and periodic training; enforce policies consistently.
• Safeguards for ePHI: apply administrative, physical, and technical controls—risk analysis, encryption, authentication, audit logs, and secure configuration.
• Vendor management: evaluate business associates, execute BAAs, and monitor performance and security obligations.
• Individual rights operations: fulfill access, amendment, Accounting of Disclosures, restriction, and confidential communication requests within required timelines.
• Notice of Privacy Practices: publish, distribute, and keep it current with your practices.
• Secure communications: verify identities; use approved channels for email, text, telehealth, and patient portals.
• Incident response and breach notification: assess incidents, document risk-of-compromise evaluations, notify as required, and implement corrective actions.
• Monitoring and improvement: conduct periodic audits, test controls, and remediate gaps promptly.

In practice, HIPAA compliance starts with knowing exactly what information the HIPAA Privacy Rule protects, recognizing PHI in every form, honoring individual rights, and embedding safeguards into daily operations. Consistent execution turns compliance into a durable trust advantage.

FAQs

What qualifies as protected health information under HIPAA?

PHI is individually identifiable health information related to a person’s health, the care they receive, or payment for that care, when it includes one or more identifiers (such as name, date of birth, or medical record number) and is created or handled by a covered entity or business associate.

How does the HIPAA Privacy Rule apply to electronic health records?

The Privacy Rule governs privacy for PHI in any form, including EHRs. Alongside it, the Security Rule requires administrative, physical, and technical safeguards for ePHI—access controls, audit logs, encryption, and risk management—to keep electronic health records protected.

Are employment records included in PHI protection?

Employment records that a covered entity maintains in its role as an employer are not PHI (for example, HR files, leave requests). The same health details can be PHI in the medical record but not in the employer’s HR record.

What rights do individuals have regarding their PHI under HIPAA?

Individuals have the right to access and obtain copies, direct a copy to a third party, request amendments, receive an accounting of disclosures, ask for restrictions, request confidential communications, obtain a Notice of Privacy Practices, and file a complaint without retaliation.