What Is Considered Protected Health Information (PHI) Under HIPAA?

Protected health information (PHI) under HIPAA refers to any individually identifiable health information that links a person to their health status, care, or healthcare payment data. If the information identifies the individual—or there is a reasonable basis to believe it could—it is PHI when created or received by a covered entity or its business associate, regardless of whether it is electronic, paper, or spoken.

Definition of Protected Health Information

PHI is a subset of individually identifiable health information held or transmitted by health plans, most healthcare providers, healthcare clearinghouses, and their business associates. To qualify as PHI, the information must both relate to health and be identifiable.

• It relates to an individual’s past, present, or future physical or mental health or condition.
• It concerns the provision of healthcare to the individual.
• It involves healthcare payment data for the provision of care.

Information is identifiable if it directly identifies a person or could be used to identify them when combined with demographic identifiers or other data.

Types of Information Included as PHI

You will encounter PHI across many routine operations. The content type does not matter; what matters is the combination of health-related details and identifiability.

• Clinical records: diagnoses, medications, lab and imaging results, care plans, and progress notes.
• Administrative and billing records: claims, remittance advice, prior authorizations, and benefit explanations tied to a person.
• Healthcare payment data: account numbers, payment methods, and payer interactions linked to an individual.
• Scheduling and communications: appointment reminders, discharge instructions, and portal messages that reference a patient.
• Images and media: radiology files, wound photos, and full face photographic images attached to a medical record.
• Monitoring and device data: wearable feeds or device output when associated with a patient, plus device identifiers tied to the person.
• Eligibility and plan information: member IDs, coverage details, and health plan beneficiary identifiers.

Examples of PHI Identifiers

These identifiers, when linked to health information, commonly make data PHI. Removing them under HIPAA’s Safe Harbor method is one way to de-identify data.

• Names
• Geographic subdivisions smaller than a state (e.g., street address, city, ZIP code)
• All elements of dates (except year) related to an individual (e.g., birth, admission, discharge, death); ages over 89
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary identifiers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric data (e.g., fingerprints, voiceprints)
• Full face photographic images and comparable images
• Any other unique identifying number, characteristic, or code

Exclusions from PHI

• De-identified information: Data that cannot identify a person, either by removing the identifiers above (Safe Harbor) or through expert determination, is not PHI.
• Employment records: Health information a covered entity holds in its role as an employer (e.g., FMLA, drug testing, fitness-for-duty) is not PHI.
• Education records: Records covered by FERPA, including certain student treatment records at schools, are not PHI.
• Information about decedents after 50 years: Health information of an individual deceased for more than 50 years is not PHI.
• Consumer-generated data held outside HIPAA: Health data in apps, wearables, or services that are not acting on behalf of a covered entity may fall outside HIPAA and thus are not PHI under HIPAA.

Note: A “limited data set” with specified identifiers removed is still PHI and requires a data use agreement for research, public health, or operations.

Importance of PHI Protection

Protecting PHI preserves patient trust, supports safety, and prevents harm such as identity theft, discrimination, or financial loss. Strong safeguards also reduce breach risk, avoid regulatory penalties, and uphold professional ethics in care delivery and payment operations.

Compliance Requirements under HIPAA

Covered Entities and Business Associates

Health plans, most providers that transmit standard electronic transactions, and clearinghouses must comply with HIPAA. Vendors that create, receive, maintain, or transmit PHI on their behalf are business associates and require business associate agreements defining permitted uses, safeguards, and breach duties.

Privacy Rule essentials

• Use and disclose PHI only as permitted (e.g., treatment, payment, healthcare operations) or with a valid authorization.
• Apply the minimum necessary standard to limit PHI to what is needed.
• Provide a Notice of Privacy Practices and honor individual rights (access, amendments, restrictions, confidential communications, and an accounting of disclosures).

Security Rule essentials

• Implement administrative, physical, and technical safeguards tailored by a risk analysis and ongoing risk management.
• Establish access controls, audit logs, integrity protections, and transmission security; encryption is strongly recommended.
• Train the workforce, manage device and media controls, and document policies and procedures.

Breach Notification Rule

• Assess incidents to determine if unsecured PHI was compromised.
• Notify affected individuals without unreasonable delay, and report to regulators and, when applicable, the media.
• Document risk assessments, decisions, and corrective actions.

Documentation, Training, and Oversight

• Maintain written policies, procedures, and sanctions; review and update regularly.
• Conduct periodic risk assessments and audits; monitor access; remediate gaps.
• Manage vendors with due diligence, BAAs, and ongoing security assurances.

Handling and Safeguarding PHI

Access Management and Minimum Necessary

• Grant role-based access with least privilege, unique user IDs, and multi-factor authentication.
• Review access routinely and promptly terminate access when roles change.

Secure Transmission and Storage

• Encrypt PHI in transit and at rest; use secure portals or messaging instead of email or SMS when possible.
• Harden systems with patching, endpoint protection, and backups tested via recovery drills.

Device and Workspace Security

• Protect laptops and mobile devices with full-disk encryption and remote wipe.
• Control physical areas with badges, visitor logs, locked cabinets, and privacy screens.

Data Minimization and De-identification

• Collect and share only what is necessary; prefer de-identified data when feasible.
• When sharing a limited data set, execute a data use agreement and monitor compliance.

Vendor and Cloud Risk Management

• Use vendors that sign BAAs and meet security expectations; validate controls periodically.
• Implement data loss prevention, secure APIs, and logging for integrations and device identifiers.

Monitoring, Auditing, and Incident Response

• Log access and disclosures; investigate anomalies quickly.
• Follow an incident response plan to contain, assess, notify, and prevent recurrence.

Remote Work and BYOD

• Use managed devices, VPN, and encrypted storage; block auto-forwarding of email to personal accounts.
• Train staff to avoid storing PHI in unsanctioned apps or locations.

Secure Disposal and Media Sanitization

• Shred paper; wipe or destroy drives and removable media before disposal or reuse.
• Validate destruction through documented procedures and vendor attestations.

Conclusion

Under HIPAA, PHI means individually identifiable health information connected to care, condition, or payment. By understanding identifiers—such as demographic identifiers, biometric data, device identifiers, and full face photographic images—and by applying robust privacy and security controls, you can reduce risk, support compliance, and protect the people behind the data.

FAQs

What types of information qualify as PHI under HIPAA?

Any health-related details that identify a person—or could reasonably identify them—qualify as PHI when handled by a covered entity or business associate. That includes clinical notes, test results, images, scheduling details, and healthcare payment data linked to an individual.

How does HIPAA define identifiable health information?

HIPAA uses the term “individually identifiable health information,” meaning data that identifies a person directly or could identify them when combined with demographic identifiers or other data. If there is a reasonable basis to believe identification is possible, the information is identifiable.

Are employment health records considered PHI?

No. Health information that an employer maintains in its role as an employer—such as FMLA files, pre-employment physicals, or drug testing results—is not PHI under HIPAA. However, the same medical details kept by a provider for treatment purposes are PHI.

What are common identifiers included in PHI?

Frequent identifiers include names, addresses, dates (except year), phone and email, Social Security and medical record numbers, health plan beneficiary identifiers, account numbers, device identifiers, IP addresses, biometric data, and full face photographic images, among others listed above.