What Is Not Considered PHI Under HIPAA? Examples and Exceptions

Not all health-related information is protected health information (PHI). Under HIPAA, data is PHI only if it is individually identifiable and created, received, maintained, or transmitted by a Covered Entity or its Business Associates in connection with care, operations, or payment. This guide explains what is not considered PHI under HIPAA, with clear examples and practical exceptions you should know.

Understanding these Data Privacy Exceptions helps you handle Health Information Privacy correctly—especially where HIPAA interacts with other laws, such as FERPA Compliance, or when De-Identification Standards remove HIPAA identifiers.

De-Identified Data Criteria

Data that meets HIPAA’s De-Identification Standards is not PHI. You can reach this status through one of two pathways: Expert Determination or Safe Harbor.

Two pathways to de-identification

• Expert Determination: A qualified expert applies accepted statistical or scientific methods and documents that the risk of re-identification is very small for the intended use.
• Safe Harbor: You remove all 18 HIPAA identifiers and have no actual knowledge that remaining data can identify an individual.

Safe Harbor: remove these HIPAA identifiers

• Names
• All geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code; limited allowance for the first three ZIP digits only when population thresholds are met)
• All elements of dates (except year) related to an individual; ages over 89 must be aggregated into “age 90 or older”
• Telephone and fax numbers
• Email addresses
• Social Security numbers
• Medical record, health plan beneficiary, and account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers (including license plates)
• Device identifiers and serial numbers
• Web URLs and IP addresses
• Biometric identifiers (fingerprints, voiceprints, etc.)
• Full-face photos and comparable images
• Any other unique identifying number, characteristic, or code (unless permitted for non-reidentification use)

Key nuances and common pitfalls

• Pseudonymized or coded data can still be PHI if a Covered Entity or Business Associate holds the key or can re-identify individuals.
• Aggregated statistics that cannot single out a person are typically not PHI; apply cell-size suppression and other safeguards to keep re-identification risk low.
• A “limited data set” (which may contain dates and some geography) is still PHI and requires a data use agreement; it is not fully de-identified.

Employment Records Exemptions

Information a Covered Entity maintains in its role as an employer—rather than as a healthcare provider or plan—is not PHI. These employment records sit outside HIPAA even when they contain health details.

Examples that are generally not PHI

• Return-to-work notes, fitness-for-duty evaluations, drug test results, and workplace injury logs kept for HR purposes
• FMLA, ADA, or workers’ compensation paperwork held in personnel files

When the same information becomes PHI

• If an employee receives clinical care from a provider, the provider’s medical record and billing data are PHI, even if the subject is also the provider’s employee.
• Health plan enrollment and claims data held by the plan (as a Covered Entity) are PHI; duplicates maintained by HR solely as employment records are not.

Education Records and FERPA

Student health and counseling records that are “education records” under FERPA are not PHI. HIPAA expressly excludes both FERPA education records and FERPA “treatment records” from the definition of PHI.

What this means for schools

• K–12 schools and most colleges: Student health clinic records maintained by the institution for students fall under FERPA, not HIPAA.
• Postsecondary “treatment records” used only for treatment and not disclosed beyond treatment providers are excluded from FERPA access rights and also excluded from HIPAA PHI.

Important exceptions

• If a school is not subject to FERPA (for example, a private school without federal funding) and its clinic conducts HIPAA-standard electronic transactions, the clinic may be a Covered Entity; in that case, its patient records can be PHI.
• Records about employees of an educational institution are typically employment records (not PHI), unless maintained by a provider in a clinical context.

Data Held by Non-Covered Entities

HIPAA applies to Covered Entities (health plans, healthcare clearinghouses, and certain healthcare providers) and their Business Associates. Health information held by organizations outside these roles is usually not PHI.

Common holders of non-PHI health data

• Consumer health apps, fitness trackers, and personal health record tools that operate independently of a Covered Entity
• Life insurers, disability insurers, and automobile insurers
• Employers (in their employer role), schools (under FERPA), law enforcement, courts, and many government agencies
• Direct-to-consumer genetic testing or wellness services that are not acting on behalf of a Covered Entity

Watch the boundary with Business Associates

• If a vendor receives identifiable health data to perform services for a Covered Entity, it is a Business Associate and the data it holds is PHI.
• Independent services that collect data directly from you, without acting for a Covered Entity, generally fall outside HIPAA—but other privacy laws may still apply.

Publicly Available Information

Information that is truly public and not created or received by a Covered Entity or Business Associate is not PHI. Examples include news stories, obituaries, and court filings that mention a person’s health.

Crucial nuance

• If the same facts appear in a provider’s chart, they remain PHI in that chart even if the information is already public.
• Disclosures by a Covered Entity to make health information public can still violate HIPAA; “it is already on social media” is not a HIPAA exception for the entity.

Decedent's Information Rules

Decedents’ identifiable health information remains PHI for 50 years after the date of death. After 50 years, it is no longer PHI and HIPAA restrictions no longer apply.

Practical implications

• Within 50 years: PHI protections apply; disclosures may be permitted to coroners, medical examiners, funeral directors, and for organ procurement or certain research under specific conditions.
• Personal representatives (such as executors) may access a decedent’s PHI within the 50-year period, subject to applicable limitations.
• After 50 years: The information is not PHI; other laws (e.g., state confidentiality or archival rules) may still govern access.

Conclusion

In short, what is not considered PHI under HIPAA centers on context: de-identified data that meets HIPAA’s standards, employment and education records excluded by law, information held by non-covered entities, certain publicly available information, and decedent data after 50 years. Knowing where HIPAA applies—and where other privacy regimes take over—helps you manage Health Information Privacy with precision.

FAQs

What types of data are excluded from PHI under HIPAA?

Excluded categories include properly de-identified data, employment records held by an employer, FERPA education and treatment records, health information maintained by non-covered entities that are not Business Associates, certain publicly available information not created or received by a Covered Entity, and decedent information after 50 years from the date of death.

How is de-identified data defined under HIPAA?

Data is de-identified when either an expert certifies that re-identification risk is very small (Expert Determination) or all 18 HIPAA identifiers are removed with no actual knowledge of re-identification risk (Safe Harbor). De-identified data is not PHI.

Are employer-held health records considered PHI?

No. Health information kept by an employer in employment records—such as return-to-work notes or drug test results—is not PHI. However, the same information in a provider’s clinical record remains PHI.

Does FERPA override HIPAA for student health records?

Yes. Student education records covered by FERPA (and FERPA treatment records) are expressly excluded from HIPAA’s definition of PHI. School clinics not subject to FERPA may still be Covered Entities depending on their operations.

When does decedent information lose PHI status?

Fifty years after the individual’s date of death, the information is no longer PHI under HIPAA. Before that, it remains PHI with specific allowances for certain disclosures.