What Is Considered PHI Under HIPAA? Gray Areas, Exclusions, and Practical Tests

Definition of PHI

Protected Health Information (PHI) is individually identifiable health information created, received, maintained, or transmitted by a Covered Entity or its Business Associate, in any form or medium. It includes data about a person’s past, present, or future physical or mental health or condition, the provision of health care, or payment for health care.

Individually Identifiable Health Information means the data either identifies a person directly or there is a reasonable basis to believe it can be used to identify the person. The HIPAA Privacy Rule frames PHI around real-world workflows, not just databases, so emails, phone calls, paper files, images, and logs can all contain PHI.

The three-part practical test

• Is it health-related information (care, condition, or payment)?
• Is an identifier present or could the person reasonably be identified?
• Is the information held or transmitted by a Covered Entity or Business Associate?

If the answer is yes to all three, it is PHI. If any answer is no, it may fall outside HIPAA or be de-identified.

Gray areas to watch

• Context matters: a heart-rate value in a hospital portal is PHI; the same value in a standalone fitness app may not be PHI if no Covered Entity or Business Associate is involved.
• Metadata counts: IP addresses, device IDs, or clickstream data on a provider website can be PHI when linked to a user seeking health services.
• Aggregations can still identify: a small cohort report can re-identify patients if it’s too granular.

18 Identifiers of PHI

The Privacy Rule’s “safe harbor” lists 18 identifiers. If all are removed and the holder has no actual knowledge that remaining information can identify a person, the data may be considered de-identified.

1. Names.
2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, and ZIP code; the first three digits of a ZIP code may be used only if the combined area has more than 20,000 people; otherwise use 000.
3. All elements of dates (except year) directly related to an individual, including birth date, admission, discharge, death; ages over 89 must be aggregated as “age 90 or older.”
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plates.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP addresses.
16. Biometric identifiers, including finger and voice prints.
17. Full-face photographic images and comparable images.
18. Any other unique identifying number, characteristic, or code that can identify the individual.

Practical notes

• Removing some, but not all, identifiers is not enough for de-identification unless you follow a Limited Data Set pathway with a Data Use Agreement.
• Unique codes can be used internally to track de-identified records, but recipients must not be able to reverse the code to re-identify individuals.

De-Identified Information

De-identification under the HIPAA Privacy Rule aims to bring re-identification risk to a very small level while preserving utility. It enables analysis and innovation in health information technology without exposing individuals.

Two permissible methods

• Safe Harbor: remove all 18 identifiers and ensure no actual knowledge of re-identification risk.
• Expert Determination: a qualified expert applies accepted statistical or scientific methods and documents that the risk of re-identification is very small, along with appropriate safeguards.

Safe Harbor nuances that often trip teams

• Geography: only the first three ZIP digits may remain, and only when the associated area exceeds 20,000 people.
• Dates: you may keep the year, but not month or day; ages 90+ must be grouped.
• Free-text: scrub dictated notes, comments, and images for hidden identifiers.

Limited Data Set (LDS) versus de-identified data

An LDS still contains PHI but excludes direct identifiers (such as names, SSNs, full addresses). It may retain elements like city, state, ZIP, and dates. Use requires a Data Use Agreement specifying purpose (research, public health, health care operations), permitted recipients, and safeguards.

Practical tests for teams

• Purpose: if you need dates or locations, consider an LDS with a Data Use Agreement; otherwise aim for Safe Harbor.
• Risk: can a motivated outsider link remaining fields to a person using public sources? If yes, reduce fields or apply expert determination.
• Governance: document the method, the fields released, and stewardship controls for health data security.

Health Information Not Handled by HIPAA-Covered Entities

HIPAA applies to Covered Entities—health plans, health care clearinghouses, and health care providers that transmit health information electronically in standard transactions—and to their Business Associates who handle PHI on their behalf.

Health-related data held outside that ecosystem is usually not PHI. That does not mean it is unregulated; other federal or state laws and consumer protection rules may apply, but HIPAA would not.

Common scenarios that are typically not PHI

• Data in a consumer fitness app that does not act for a Covered Entity.
• Wellness content browsing on a media site, unless a Covered Entity ties it to a user seeking services.
• Personal health diaries stored privately without involvement of a Covered Entity or Business Associate.

When the status changes

• If a provider integrates a consumer app and data flows into the EHR through a Business Associate, the same readings can become PHI.
• If a payer contracts a vendor to process claims, the vendor becomes a Business Associate; claim data handled there is PHI.

Employment Records and PHI

Employment records held by an organization in its role as employer are not PHI, even if the organization is also a Covered Entity. HIPAA draws a boundary between the employer function and the health care provider or plan function.

Practical tests

• Role test: Was the information created or used in the employer capacity (e.g., FMLA certifications, drug testing for employment)? That’s generally an employment record, not PHI.
• Provider test: Was the same information created or used to provide care (e.g., clinic visit notes)? In the provider’s system, it is PHI.
• Flow test: If data crosses from the provider into HR, it may lose PHI status in HR’s files but remains PHI within the provider’s designated record set.

Examples

• A hospital employee’s immunization record kept by Employee Health for occupational clearance is typically an employment record for HR purposes; the vaccine administration record in the clinic’s EHR is PHI.
• Workers’ compensation documents held by the employer are not PHI, but disclosures from a provider to the program must still follow permissible disclosure rules.

Education Records and FERPA

Student education records maintained by schools are governed by FERPA, not HIPAA. Most student health records kept by a school nurse or clinic that serves only students are “education records” or “treatment records” under FERPA and therefore excluded from HIPAA.

Key distinctions

• K–12: Nurse records for students are FERPA education records, not PHI.
• Higher education: University counseling center notes for students typically fall under FERPA; records for non-students seen at a university hospital are HIPAA PHI.
• Treatment records under FERPA are used only in treatment, accessible only to treatment providers; once shared outside treatment for non-treatment purposes, they become education records.

Practical tests

• Audience: Is the record maintained by the school for student education or treatment? Think FERPA.
• Entity: Is the care delivered by a separate hospital or provider billing electronically? Think HIPAA.
• Reuse: If a school uses health information for disciplinary or administrative actions, FERPA rules govern access and disclosure.

Public Health and Consumer Health Data

HIPAA permits Covered Entities to disclose PHI to public health authorities for activities like disease surveillance, reporting, and interventions. Within the Covered Entity, the information remains PHI, but once disclosed, the public health authority governs its subsequent use under its own laws.

Aggregated or de-identified datasets used for public health are not PHI. Apply the minimum necessary standard, robust access controls, and clear data-sharing agreements to maintain health data security throughout the lifecycle.

Consumer health apps and wearables

Data from consumer health technology—trackers, period apps, wellness platforms—usually falls outside HIPAA unless a Covered Entity or its Business Associate is involved. Even when not PHI, treat such data as sensitive: provide notice, obtain appropriate consent, minimize collection, and protect identifiers.

Websites, analytics, and tracking

When a Covered Entity’s website collects identifiers (like IP addresses) in contexts revealing a user’s intent to seek care, those data can be PHI. Use privacy-preserving configurations, evaluate vendors as potential Business Associates, and avoid sending PHI to third-party trackers without proper agreements and controls.

Conclusion

To decide whether something is PHI, apply the three-part test: health-related content, identifiability, and possession by a Covered Entity or Business Associate. Know the 18 identifiers, the safe harbor and expert determination paths for de-identification, and the key exclusions for employment and FERPA records. Finally, recognize that consumer health data and public health uses sit at the boundary—governed by purpose, context, and safeguards under the HIPAA Privacy Rule and broader privacy laws.

FAQs.

What types of information are included as PHI under HIPAA?

PHI includes any individually identifiable health information related to a person’s health, care, or payment that is created, received, maintained, or transmitted by a Covered Entity or Business Associate. It spans clinical notes, lab results, claims, billing details, images, device data, and even metadata like IP addresses when linked to care-seeking. If it identifies the person (directly or reasonably) and sits within the HIPAA ecosystem, it is PHI.

When is health information considered de-identified?

Information is de-identified when either (1) all 18 identifiers are removed and the holder has no actual knowledge that the remaining data can identify an individual (safe harbor), or (2) a qualified expert documents that the risk of re-identification is very small using accepted scientific methods (expert determination). De-identified data is not PHI.

Are employer-collected health records protected as PHI?

Employment records held by an employer in its role as employer are not PHI, even if the employer is also a Covered Entity. However, copies of the same information kept by a provider or health plan for care or payment remain PHI in those systems. Always separate HR files from clinical or plan records.

Is data from consumer health apps regulated by HIPAA?

Usually not. If a consumer app collects data on its own behalf without acting for a Covered Entity, HIPAA does not apply and the data is not PHI. If the app integrates with a provider or plan as a Business Associate, the same data may become PHI. Even when HIPAA doesn’t apply, other privacy and consumer protection laws may govern the data.