What Is Considered PHI (Protected Health Information) Under HIPAA? Definition and Examples

Definition of PHI

Under the HIPAA Privacy Rule, Protected Health Information (PHI) is Individually Identifiable Health Information that is created, received, maintained, or transmitted by a Covered Entity or its Business Associate. It relates to an individual’s past, present, or future physical or mental health condition, the provision of health care, or payment for health care, and either identifies the person or could reasonably be used to identify them.

HIPAA’s core aim is to preserve confidentiality and privacy. If data cannot identify a person (or is properly de-identified), it is not PHI. But once identifiers or reasonable linkability exist in the hands of a Covered Entity or Business Associate, the same data becomes PHI.

Individually Identifiable Health Information explained

Information is “individually identifiable” when it includes direct identifiers (like a name) or indirect details that, in combination, can point to a specific person. This includes obvious items (date of birth, medical record number) and less obvious ones (IP addresses tied to a patient portal or precise device IDs).

Who is covered

Covered Entities include health care providers that transmit health information electronically, health plans, and health care clearinghouses. Business Associates are vendors or subcontractors that create, receive, maintain, or transmit PHI on a Covered Entity’s behalf (for example, billing companies, cloud services, or analytics providers).

Forms of PHI

Electronic PHI (ePHI)

ePHI includes digital charts, claims files, patient portal data, emails, text messages, EHR exports, backups, logs, images, audio/video files, and telemetry. Device IDs, IP addresses, or metadata linked to a patient record also qualify as PHI.

Paper PHI

Paper records encompass printed charts, lab results, physician notes, referral forms, insurance forms, and mailed statements. Labels on prescription bottles and printed appointment schedules are PHI when they can identify a patient.

Oral PHI

Spoken information such as hallway conversations, phone calls with patients, voicemails, and recorded customer support calls about health conditions or payments are PHI when identifiable.

Examples of PHI

Common HIPAA identifiers

• Names; geographic subdivisions smaller than a state; all elements of dates (except year) related to an individual; phone and fax numbers; email addresses.
• Social Security numbers; medical record numbers; Health Plan Beneficiary Numbers; account numbers; certificate/license numbers.
• Vehicle identifiers and license plates; device identifiers and serial numbers; web URLs; IP addresses.
• Biometric Identifiers (for example, fingerprints, voiceprints, retina/iris scans); full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code that could identify a person.

Real‑world illustrations

• An imaging study tagged with a patient’s name and medical record number in a hospital PACS.
• A claims file listing diagnosis codes tied to a Health Plan Beneficiary Number.
• Secure messaging threads between a clinician and patient discussing medications.
• Wearable data (heart rate trends) uploaded to a provider’s portal for treatment decisions.
• Call center recordings where a patient confirms address and condition details.
• Care coordination spreadsheets that combine visit dates, payer info, and contact details.

Exclusions from PHI

• De-identified data: Information stripped of identifiers under HIPAA’s Safe Harbor method or certified via Expert Determination so that re-identification risk is very low.
• Education records covered by the Family Educational Rights and Privacy Act (FERPA), and certain student treatment records maintained by educational institutions.
• Employment records held by a Covered Entity in its role as employer (for example, FMLA forms kept by HR).
• Information about a person deceased for more than 50 years.
• Consumer-generated health data in apps or devices when the app developer is not a Covered Entity or Business Associate (though other privacy laws may still apply).

Important clarification

A Limited Data Set (LDS) is not fully de-identified and remains PHI; it can be used for specific purposes under a Data Use Agreement. It is therefore not an “exclusion.”

Compliance Requirements

Covered Entities and Business Associates must implement administrative, technical, and physical safeguards under the HIPAA Security Rule and follow the Privacy Rule’s standards for uses and disclosures.

• Governance: Conduct an enterprise-wide risk analysis, implement risk management plans, adopt policies and procedures, and train the workforce regularly.
• Minimum necessary: Limit uses, disclosures, and access to the least amount of PHI needed to achieve the purpose.
• Authorizations: Obtain a valid authorization for uses/disclosures not otherwise permitted (for example, many marketing activities).
• Patient rights: Provide notice of privacy practices and support access, amendment, and an accounting of disclosures where required.
• Business Associate Agreements: Execute BAAs with vendors that handle PHI and oversee their compliance.
• Breach Notification Rule: Evaluate potential breaches, mitigate harm, and notify affected individuals (and, when applicable, regulators and the media) without unreasonable delay and within mandated timeframes.

Handling and Safeguarding PHI

Administrative safeguards

• Inventory PHI repositories; classify data by sensitivity and purpose.
• Use role-based access controls, sanction policies, and ongoing workforce training focused on confidentiality and privacy.
• Maintain incident response, disaster recovery, and business continuity plans; test them regularly.

Technical safeguards

• Encrypt ePHI in transit and at rest; enforce multi-factor authentication and strong identity proofing.
• Segment networks; harden endpoints and mobile devices; patch promptly; disable unnecessary services.
• Log access, enable audit trails, and monitor for anomalous behavior; regularly review and reconcile logs.
• Use secure messaging for clinical communication; avoid personal email or consumer texting for PHI.

Physical safeguards

• Control facility access; protect servers, workstations, and removable media.
• Position screens to prevent shoulder-surfing; use privacy filters where appropriate.
• Dispose of PHI securely (for example, shredding paper, certified media destruction).

Data lifecycle practices

• Apply data minimization; collect only what you need and retain it only as long as required.
• Use de-identification or pseudonymization for research, analytics, or training whenever possible.
• Vet vendors carefully; ensure BAAs cover security, breach reporting, and subcontractors.

Legal Implications of PHI Disclosure

Unauthorized use or disclosure of PHI can trigger breach investigation, required notifications, corrective action plans, and substantial civil monetary penalties under HIPAA’s tiered framework. Penalties scale with the level of culpability and can accrue per record and per day, subject to annual caps. State attorneys general may also enforce HIPAA and state privacy laws.

Knowing misuse of PHI can lead to criminal liability, including fines and potential imprisonment, especially when information is obtained under false pretenses or used for commercial advantage, personal gain, or malicious harm. Contractual liabilities may arise under Business Associate Agreements, and organizations may face class actions or other litigation under state law.

After any incident, entities must promptly assess risk, mitigate harm, document decisions, and notify affected parties within the rule’s timelines. Robust prevention, monitoring, and timely response are essential to protect patients and the organization.

Conclusion

PHI under HIPAA is any identifiable health information handled by a Covered Entity or Business Associate in connection with care or payment. Understand what counts, exclude what truly does not, implement strong administrative, technical, and physical safeguards, and respond quickly to incidents to uphold confidentiality and privacy and reduce legal risk.

FAQs

What types of information qualify as PHI?

Any Individually Identifiable Health Information held by a Covered Entity or Business Associate that relates to health, care provided, or payment qualifies. This includes obvious identifiers (name, address, dates) and less obvious ones such as IP addresses tied to a patient portal, device IDs, Biometric Identifiers, and Health Plan Beneficiary Numbers.

How is PHI protected under HIPAA?

HIPAA requires administrative, technical, and physical safeguards, the minimum necessary standard, workforce training, Business Associate Agreements, and processes for access, amendment, and breach notification. Encryption, access controls, logging, and secure disposal are cornerstones of protecting ePHI and paper/oral PHI.

What are the exceptions to PHI coverage?

De-identified data, FERPA-covered education records, employment records kept by an employer, information about a person deceased more than 50 years, and consumer health data not handled by a Covered Entity or Business Associate are not PHI. A Limited Data Set remains PHI and is not an exception.

How should PHI be handled securely?

Limit collection and access, encrypt in transit and at rest, enforce multi-factor authentication, log and review access, train staff, secure facilities and devices, shred or wipe on disposal, and use vetted vendors under BAAs. De-identify data whenever feasible to reduce risk while supporting care and operations.