What Is HIPAA PHI? What Counts, What Doesn’t, and Why It Matters

Definition of Protected Health Information

Protected Health Information (PHI) is individually identifiable health information created or received by covered entities or their business associates that relates to a person’s past, present, or future physical or mental health, care provided, or health care payment information. If the data identifies a person—or could reasonably be used to identify them—it is PHI.

Under the HIPAA Privacy Rule, PHI can exist in any medium and is not limited to a “medical chart.” It includes information in a designated record set, such as medical and billing records a provider or health plan uses to make decisions about individuals. Covered entities include health plans, health care clearinghouses, and health care providers who transmit health information electronically for standard transactions.

Types of Information Included in PHI

PHI includes both health content (diagnoses, medications, lab values, images, care plans) and the identifiers that link that content to a person. Together they form individually identifiable health information protected by HIPAA.

Common examples

• Clinical documentation: physician notes, operative reports, test results, imaging, care coordination messages.
• Administrative and financial data: claims, remittance advice, explanations of benefits, prior authorizations, and other health care payment information.
• Member and patient records within a designated record set used to make decisions about coverage, treatment, or billing.

The 18 identifiers that make health information “identifiable”

• Names.
• Geographic data smaller than a state (e.g., street address, city, full ZIP code; limited ZIP aggregation rules apply).
• All elements of dates (except year) directly related to an individual, and ages over 89 when not aggregated to 90+.
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate/license numbers.
• Vehicle identifiers and license plates.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric identifiers (e.g., fingerprints, voiceprints).
• Full-face photos and comparable images.
• Any other unique identifying number, characteristic, or code.

Forms of PHI: Oral, Written, and Electronic

PHI is not medium-specific. It includes oral communications (e.g., hallway case discussions or phone updates), written records (paper charts, intake forms, mailed statements), and electronic PHI (ePHI) such as EHR entries, patient portal messages, emails, texts, faxes, and backups.

Reasonable safeguards apply across forms: avoid discussing cases in public areas, secure paper files, and protect ePHI with access controls and transmission security. The Security Rule sets additional requirements for ePHI, while the Privacy Rule governs when PHI may be used or disclosed.

HIPAA Privacy Rule Protections

The HIPAA Privacy Rule sets national standards for how covered entities and business associates use and disclose PHI and how individuals can exercise their rights. It balances permissible flows of information for care and operations with strong privacy controls.

Core protections

• Minimum necessary: limit uses, disclosures, and requests to the least amount of PHI needed for the purpose.
• Authorization: obtain valid written authorization for uses and disclosures not otherwise permitted.
• Notice of Privacy Practices: inform individuals how their PHI will be used and their rights.
• Individual rights in the designated record set: access, obtain copies, request corrections, request restrictions, and request confidential communications.
• Safeguards: administrative, physical, and technical measures to prevent impermissible uses and disclosures and reduce incidental exposure.
• Business associate oversight: contracts require appropriate PHI protections when services involve PHI.

Permitted Disclosures of PHI

HIPAA allows certain uses and disclosures of PHI without authorization, while others require authorization or an opportunity for the individual to agree or object. All permitted disclosures must honor the minimum necessary standard unless an exception applies (such as disclosures to the individual or for treatment).

Commonly permitted without authorization

• Treatment, payment, and health care operations (TPO), including coordination of care and quality improvement.
• Disclosures to the individual patient or member.
• Public interest and benefit activities, such as: required by law; public health reporting; health oversight; judicial and administrative proceedings; certain law enforcement purposes; to avert a serious threat; for cadaveric organ, eye, or tissue donation; to coroners and medical examiners; for specialized government functions; and workers’ compensation as authorized.
• Research under specific conditions (e.g., IRB/privacy board waiver, preparation for research, or use of a limited data set with a data use agreement).
• Directory information and notifications to family or others involved in care when the individual agrees or when professional judgment permits and the individual has the opportunity to object.
• Incidental disclosures that occur as a by-product of otherwise permitted uses when safeguards are in place.

When authorization is required

• Most uses and disclosures for marketing.
• Sale of PHI.
• Most uses and disclosures of psychotherapy notes.
• Any use or disclosure not otherwise permitted or required by the HIPAA Privacy Rule.

Exclusions from PHI

Some information is not PHI under HIPAA and therefore falls outside the Privacy Rule’s scope. Other laws may still apply.

• De-identified information: data that meet HIPAA de-identification standards (safe harbor removal of 18 identifiers or expert determination of very small re-identification risk).
• Education records covered by the Family Educational Rights and Privacy Act (FERPA) and treatment records of students maintained by educational institutions.
• Employment records held by a covered entity in its role as employer (e.g., FMLA paperwork in HR files).
• Individually identifiable health information of a person deceased for more than 50 years.
• Health information held by organizations that are not covered entities or business associates, unless they receive PHI from a covered entity for a HIPAA-covered purpose.

Importance of PHI Compliance

PHI compliance protects patients from harm such as identity theft, discrimination, and loss of trust. It also safeguards organizations from regulatory investigations, costly penalties, litigation, and reputational damage, while supporting safe data sharing for care and innovation.

Practical steps to stay compliant

• Map your designated record set and data flows across systems, vendors, and teams.
• Apply minimum necessary access, role-based permissions, and audit logging.
• Train workforce members routinely and test understanding with real-world scenarios.
• Use de-identified information or a limited data set when feasible, with appropriate agreements.
• Keep current business associate agreements and verify vendors’ safeguards.
• Establish clear processes for individual rights requests and timely responses.

Key takeaways

• HIPAA PHI is individually identifiable health information held by covered entities or business associates in any form.
• Identifiers plus health content make information protected; remove identifiers to create de-identified information.
• The HIPAA Privacy Rule permits essential flows (like TPO) and grants individuals strong rights in their records.
• Know what is excluded—FERPA records, employment records, and information about decedents after 50 years.
• Consistent safeguards, training, and governance reduce risk and strengthen patient trust.

FAQs.

What information is considered PHI under HIPAA?

PHI is individually identifiable health information about a person’s health, care, or payment for care that is created or received by a covered entity or business associate. It includes clinical data and administrative records in a designated record set when they can identify the individual directly or indirectly.

How does the Privacy Rule protect PHI?

The HIPAA Privacy Rule limits how PHI may be used and disclosed, requires the minimum necessary, mandates a Notice of Privacy Practices, and grants rights to access, obtain copies, request corrections, and request restrictions or confidential communications. It also requires safeguards and business associate contracts to protect PHI.

What types of disclosures of PHI are permitted?

Without authorization, disclosures for treatment, payment, and health care operations are allowed, as are certain public interest purposes (e.g., public health, oversight, law enforcement in defined circumstances), disclosures to the individual, and research under specified conditions. Other uses generally require written authorization.

What information is excluded from PHI?

De-identified information, FERPA education records, employment records held by a covered entity as an employer, information about individuals deceased more than 50 years, and health data held by non-covered entities (unless received as PHI for a HIPAA purpose) are not PHI under HIPAA.