What Is Not PHI? Clear Definition and Examples Under HIPAA

Knowing what is not PHI helps you share, analyze, and report health-related data without triggering HIPAA restrictions. Below, you’ll find a clear definition and real‑world examples across common categories where HIPAA does not apply.

De-Identified Information

De-identified data is not PHI because it cannot reasonably identify an individual. HIPAA permits two pathways: HIPAA identifiers removal (the Safe Harbor method) or an expert’s documented determination that re-identification risk is very small.

Two pathways to de-identification

• Safe Harbor: remove 18 direct and quasi-identifiers (for example, names, full addresses smaller than a state, full dates except year, phone/email numbers, account and medical record numbers, device and vehicle IDs, IP/URL, full-face photos, and other unique identifiers).
• Expert Determination: a qualified statistician applies risk-based techniques and certifies that the likelihood of identification is very small.

Practical examples

• Hospital releases yearly, county-level readmission rates with no direct identifiers—this dataset is not PHI.
• A dashboard showing aggregate counts of flu cases by month after HIPAA identifiers removal supports public health data disclosure without exposing PHI.
• Note: A limited data set (with certain dates, city, and 5‑digit ZIP) is still PHI; it requires a data use agreement.

Employment Records

Employment records held by an employer—including when the employer also runs a health plan or clinic—are not PHI if maintained in the employer role. These employer health information exclusions cover items like FMLA certifications, drug-testing results received by the employer, workers’ compensation files, and fit‑for‑duty exams retained in HR files.

The same information can be PHI when held by a provider or health plan. For example, a hospital’s copy of a pre-employment physical is PHI in the hospital’s medical record, while the employer’s copy in HR is not PHI. Other laws (e.g., ADA, state privacy rules) may still apply to employer records.

Education Records

Student health information maintained by a school subject to FERPA is not PHI; it is protected as FERPA health records instead. This includes K–12 school nurse files and most student treatment records kept by a university health clinic for students.

Nuances to know: If a university clinic bills a student’s commercial plan for care provided to non-students, those non‑student records may be PHI. Private schools not subject to FERPA that transmit standard electronic claims may be HIPAA covered entities for those records.

Data Held by Non-Covered Entities

Health-related data held solely by entities that are neither HIPAA covered entities nor their business associates is not PHI. Common examples of non-covered entity health data include consumer fitness trackers, wellness apps, nutrition logs, and direct‑to‑consumer genetic results when collected and stored outside the HIPAA ecosystem.

However, once a covered entity shares PHI with a vendor under a business associate agreement, that copy becomes PHI in the vendor’s hands. Absent such a relationship, the same data in a consumer app remains outside HIPAA, though other consumer protection or state privacy laws may apply.

Publicly Available Information

Health details that are lawfully and broadly available to the public—such as a person’s own social media post, a news article, or a public court filing—are not PHI in the hands of those publishers or other non‑covered entities. Public health dashboards that share only de‑identified, aggregated statistics are also not PHI, supporting responsible public health data disclosure.

Important distinction: if a covered entity records that same information in its medical records, it is PHI within that record, even if similar details appear in the public domain.

Decedents' Information

PHI protections continue for 50 years after an individual’s death. After that, the information is no longer PHI, easing deceased individual data retention and historical research. For example, records of someone who died in 1975 are not PHI today, while records for a person who died in 2010 remain PHI until 2060.

Conclusion

In short, what is not PHI turns on identifiability, who holds the data, and specific statutory carve‑outs. De‑identified datasets, employer HR files, FERPA‑governed school records, health data outside HIPAA entities, certain publicly available information, and records of individuals deceased for more than 50 years all fall outside HIPAA’s PHI scope—though other laws may still protect privacy.

FAQs

What criteria exclude information from being PHI?

Information is not PHI if it is de‑identified, kept as an employment record by an employer, maintained as a FERPA education or student treatment record, held only by a non‑covered entity without a business associate role, lawfully available to the general public outside a covered entity’s records, or pertains to an individual deceased for more than 50 years.

How does de-identified data differ from PHI?

De‑identified data lacks reasonable re‑identification risk through HIPAA identifiers removal (Safe Harbor) or expert determination. Because no person can be readily identified, it falls outside PHI. By contrast, any individually identifiable health information held by a covered entity or business associate is PHI.

Are employment health records protected under HIPAA?

No. Employment records kept by an employer in its role as employer are not PHI, even when they include health information. The same data may still be PHI in a provider or health plan’s files, and non‑HIPAA laws (e.g., ADA or state rules) can still require safeguards.

When does health information become publicly available?

It is publicly available when it’s lawfully accessible to everyone—such as news articles, open government records, or a person’s own public posts. In those sources, it is not PHI. However, the identical information inside a covered entity’s medical record remains PHI.

How long is decedent health information considered PHI?

For 50 years following the individual’s date of death. After the 50‑year period, the information is no longer PHI, though archival, ethical, or state-law considerations may still affect access and use.