What Is PHI in Medical Terms? Definition, Examples, and HIPAA Compliance

Definition of PHI

Under the Health Insurance Portability and Accountability Act (HIPAA), protected health information (PHI) is individually identifiable health information about a person’s past, present, or future physical or mental health, the provision of health care, or payment for care. It must be created or received by a covered entity or its business associates and be part of, or reasonably could be part of, the designated record set used to make decisions about the individual.

PHI can exist in any medium—paper, electronic, or spoken—and becomes PHI when health data is linked with one or more identifiers that tie it to a specific person. Data that has been properly de-identified (for example, by removing HIPAA identifiers or through expert determination) is not PHI. Certain education records and employment records kept by a covered entity in its role as employer are also excluded.

Examples of PHI

Seeing PHI in context helps you recognize and protect it. The following are common, real‑world examples when they identify a person:

• Doctor’s visit notes, diagnoses, and medication histories in an electronic health record.
• Laboratory reports, radiology images, or pathology slides labeled with a medical record number or name.
• Billing statements, claims data, and health plan beneficiary numbers connected to a patient.
• Prescription records, refill histories, and pharmacy counseling notes that identify you.
• Appointment schedules, referral letters, and discharge instructions tied to your contact details.
• Patient portal messages, telehealth chat transcripts, or emails with identifiers.
• Device and implant serial numbers recorded in your chart (for example, a pacemaker or insulin pump).
• Wearable or remote monitoring data collected for treatment and stored in the designated record set.
• Clinical photos or videos that show your full face or other unique identifying features.
• Research records held by a covered entity when they include identifiers and inform care decisions.

HIPAA Identifiers

HIPAA’s Safe Harbor method lists 18 identifiers that, when removed, render data de-identified. When any of these appear with health information, the data is PHI:

1. Names.
2. Geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code, and similar geocodes).
3. All elements of dates (except year) directly related to an individual (for example, birth, admission, discharge, death), and all ages over 89 unless aggregated as “age 90 or older.”
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate or license numbers.
12. Vehicle identifiers and serial numbers, including license plates.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP addresses.
16. Biometric identifiers (for example, fingerprints and voiceprints).
17. Full-face photographic images and comparable images.
18. Any other unique identifying number, characteristic, or code.

HIPAA Compliance Requirements

To comply with HIPAA, covered entities (health plans, most health care providers, and health care clearinghouses) and their business associates must implement policies and controls that protect PHI throughout its lifecycle. You need written business associate agreements, role‑based access, and the “minimum necessary” standard for routine uses and disclosures.

Privacy Rule obligations include providing a Notice of Privacy Practices, defining permissible uses and disclosures, honoring individual rights to access, obtain copies of, and request amendments to information in the designated record set, and maintaining an accounting of certain disclosures.

The Security Rule applies to electronic protected health information (ePHI) and requires risk analysis and risk management supported by administrative, physical, and technical safeguards. Typical elements include workforce training, contingency planning, device and media controls, access management, authentication, audit logging, and integrity protections.

The Breach Notification Rule requires assessing incidents for compromise of unsecured PHI and, when a breach occurs, notifying affected individuals and applicable authorities without unreasonable delay. Consistent documentation, ongoing risk assessments, and periodic evaluations are essential for sustained compliance.

Safeguards for PHI Protection

Effective safeguards protect data confidentiality, integrity, and availability while fitting your operations. A layered approach balances administrative, physical, and technical controls.

• Administrative safeguards: governance, risk analysis, sanctions, vendor due diligence, business associate agreements, training, and incident response planning.
• Physical safeguards: facility access controls, workstation security, device and media controls, secure storage, and defensible disposal of paper and hardware.
• Technical safeguards: unique user IDs, least‑privilege access, multi‑factor authentication, encryption in transit and at rest, automatic logoff, audit logs, intrusion detection, and secure configuration baselines.
• Data lifecycle hygiene: data minimization, retention schedules for the designated record set, secure backups, and tested recovery procedures.

Consequences of PHI Breaches

A PHI breach can disrupt care, expose sensitive conditions, and erode patient trust. You may face costly remediation, legal exposure, and long‑term reputational harm.

Regulatory enforcement may lead to civil and criminal penalties, corrective action plans, and ongoing monitoring. Contractual liabilities, class actions, and state law obligations can compound costs through notifications, credit monitoring, forensics, and system hardening.

Timely investigation and risk assessment are critical. If unsecured PHI is compromised, you must notify affected individuals and, when required, regulators and the media, then remediate root causes to prevent recurrence.

Differences Between PHI and ePHI

PHI covers identifiable health information in any form—paper, electronic, or oral—maintained by covered entities and their business associates. Electronic protected health information (ePHI) is simply PHI in electronic form, such as data in EHR systems, patient portals, email, cloud backups, mobile apps used for care, and network transmissions.

Both are protected under the Privacy Rule, but ePHI also falls under the Security Rule’s technical requirements. That means you must address authentication, encryption, integrity controls, audit capabilities, and secure configurations for systems that create, receive, maintain, or transmit ePHI.

In summary, treat any health data linked to an individual as PHI and apply layered safeguards; when the information is electronic, strengthen controls to meet Security Rule expectations while ensuring privacy rights across the designated record set.

FAQs.

What information qualifies as PHI?

PHI is individually identifiable health information about a person’s health, care, or payment for care that is created or received by a covered entity or its business associates. When that health information is linked to one or more HIPAA identifiers and is part of, or could reasonably be part of, the designated record set used to make decisions about you, it qualifies as PHI.

How does HIPAA protect PHI?

HIPAA protects PHI through the Privacy Rule (governing uses, disclosures, and individual rights), the Security Rule (safeguards for ePHI), and the Breach Notification Rule (assessment and reporting of compromises). It also requires business associate agreements, the minimum‑necessary standard, workforce training, and documented policies that preserve data confidentiality, integrity, and availability.

What are the penalties for PHI violations?

Penalties range from corrective action and civil monetary fines to criminal charges for egregious misconduct, depending on the severity, willfulness, and remediation efforts. Regulators can impose tiered civil fines, require corrective action plans, and monitor compliance; prosecutors may pursue criminal penalties for knowingly obtaining or disclosing PHI under false pretenses or for personal gain.

How does ePHI differ from PHI?

ePHI is electronic protected health information—PHI stored or transmitted electronically. It carries the same privacy protections as PHI but also triggers Security Rule requirements, such as access controls, encryption, authentication, audit logging, and integrity safeguards for the systems that create, receive, maintain, or transmit it.