What Is HIPAA PHI? Protected Health Information Definition and Examples

Definition of PHI

Under HIPAA, Protected Health Information (PHI) is any individually identifiable health information created, received, maintained, or transmitted by a covered entity or its business associate. It includes data that relates to an individual’s past, present, or future physical or mental health, the provision of a health care service, or payment for that care, and that either directly identifies the person or could reasonably be used to identify them.

PHI can be demographic (such as age or ZIP code) when it appears alongside details about care or payment. While all PHI may exist across an organization, your right of access focuses on the Designated Record Set—the medical, billing, enrollment, claims, and case management records a covered entity uses to make decisions about you. Information outside the Designated Record Set can still be PHI, but different rights and workflows may apply.

Forms of PHI

HIPAA protects PHI in any form or medium. That includes electronic PHI (ePHI) in EHRs, patient portals, email, and backups; paper PHI such as printed charts, faxes, and mailed statements; and spoken PHI in intake interviews, voicemails, and care team huddles.

Screenshots, photos of whiteboards, metadata in file names, and logs tied to a Medical Record Number also count when they can be linked to an individual’s health care or payment. Whether you handle paper, electronic, or verbal information, the same privacy principles apply.

Examples of PHI

• Identifiers plus health details: name and diagnosis; date of birth and test results; address with discharge summary; or phone number and prescription history.
• Numbers that identify a person in care or payment: Medical Record Number, Health Insurance Number (for example, a plan beneficiary ID), account or claim numbers, and authorization or referral numbers.
• Clinical and administrative content: progress notes, imaging and lab reports, medication lists, problem lists, care plans, after-visit summaries, explanations of benefits, and prior-authorization files.
• Digital traces linked to care: patient-portal usernames, IP addresses captured in portal logs, device identifiers for home monitoring, and telehealth recordings tied to a chart.
• Media and biometrics: full-face photos in a wound record, voiceprints used for refills, and serial numbers of implanted devices recorded in the chart.

Exclusions from PHI

• Education records protected by the Federal Family Educational Rights and Privacy Act (FERPA) and FERPA “treatment records” maintained by a school or university health clinic.
• Employment records held by a covered entity in its role as employer (for example, FMLA paperwork in HR files), even if they include health information.
• Health information created or held by entities that are not covered entities or business associates (such as many consumer apps and wearables) unless they handle the data on behalf of a covered entity.
• PHI of individuals who have been deceased for more than 50 years; after that period, HIPAA protections no longer apply.
• De-identified information that does not identify an individual and cannot reasonably be used to identify them.

De-identified Information

De-identification removes the link between data and a person, making it no longer PHI. HIPAA allows two methods. Under Expert Determination, a qualified expert applies statistical or scientific principles to conclude the risk of re-identification is very small. Under the Safe Harbor method, a dataset is stripped of specified personal identifiers and the holder has no actual knowledge that the remaining information could identify an individual.

The Safe Harbor identifiers include: names; geographic subdivisions smaller than a state (with limited ZIP code exceptions); all elements of dates (except year) related to an individual; phone and fax numbers; email addresses; Social Security numbers; Medical Record Numbers; health plan beneficiary or Health Insurance Numbers; account numbers; certificate or license numbers; vehicle identifiers and serial numbers; device identifiers and serial numbers; web URLs; IP addresses; biometric identifiers (like fingerprints and voiceprints); full-face photos and comparable images; and any other unique identifying number, characteristic, or code.

A Limited Data Set (with most direct identifiers removed but dates and some locations retained) is still PHI and requires a data use agreement. Whatever method you choose, document your De-identification approach and monitor for re-identification risk.

In short, HIPAA PHI is individually identifiable data about health, care, or payment across paper, electronic, and verbal formats. Know what counts, recognize common exclusions, and use rigorous De-identification when sharing data beyond care and payment operations.

FAQs

What information qualifies as PHI under HIPAA?

PHI is individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate that relates to health status, a health care service, or payment for that service. It includes demographics when linked to care or payment, and spans electronic, paper, and verbal forms. Your right of access focuses on records in the Designated Record Set used to make decisions about you.

How is PHI different from de-identified health information?

PHI can identify a person or reasonably be used to do so. De-identified information cannot, either because an expert certifies a very small risk of re-identification or because all Safe Harbor personal identifiers—such as name, Medical Record Number, and Health Insurance Number—are removed and no actual knowledge of identification risk remains. De-identified data is not PHI under HIPAA.

What types of records are excluded from PHI protections?

Education records covered by the Federal Family Educational Rights and Privacy Act (and FERPA treatment records), employment records held by an employer, de-identified datasets, PHI of individuals deceased more than 50 years, and many consumer-health app records outside a covered entity or business associate relationship fall outside HIPAA’s PHI protections.