What Is PHI Protected by HIPAA? What’s Covered, What Isn’t, and Examples

Understanding what counts as PHI protected by HIPAA helps you protect patients and meet compliance obligations with confidence. This guide clarifies what the HIPAA Privacy Rule covers, what it does not, and shows concrete examples so you can apply the rules correctly.

At its core, PHI is Individually Identifiable Health Information created or received by a Covered Entity or its business associate. The details below unpack the definition, forms, examples, and common edge cases you’ll encounter.

Definition of PHI

Under the HIPAA Privacy Rule, Protected Health Information (PHI) is Individually Identifiable Health Information that relates to an individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual, or payment for that care, and that is created, received, maintained, or transmitted by a Covered Entity or business associate.

What makes information PHI

• It identifies (or could reasonably identify) a person; and
• It describes health status, care provided, or payment details; and
• It is held or used by a Covered Entity (health plans, most health care providers, health care clearinghouses) or a business associate acting on their behalf.

When all three conditions are present, the information is PHI and must be handled according to HIPAA’s privacy, security, and breach-notification requirements.

Forms of PHI

Electronic PHI (ePHI)

Any PHI stored or transmitted electronically—EHR data, claims files, images, patient portals, email, texts, cloud backups—is ePHI. Safeguards such as access controls, audit logging, integrity protections, and risk management are core to Health Information Technology Compliance for ePHI.

Paper PHI

Printed charts, mailed Explanation of Benefits (EOBs), referral forms, faxes, and registration packets contain PHI when they can identify a person and relate to health, care, or payment.

Oral PHI

Spoken communications (e.g., handoffs, discharge instructions, phone calls with payers) are PHI when they include identifying details linked to an individual’s health information.

Examples of PHI

Care and treatment

• Lab results tied to a patient’s name and date of birth.
• Radiology images with embedded metadata linking to a medical record number.
• Medication lists, allergies, and problem lists in an EHR.

Payment and billing

• Claims files showing diagnoses, procedures, and a Health Plan Beneficiary Number.
• Remittance advice and prior authorization records identifying a patient.

Operations and communications

• Quality-improvement datasets containing dates of service and facility identifiers linked to individuals.
• Appointment reminders sent to a named patient’s phone number or email address.

Identifiers that make information PHI (Safe Harbor list)

• Names.
• Geographic subdivisions smaller than a state (e.g., street address, city, ZIP code—subject to Safe Harbor rules).
• All elements of dates (except year) directly related to an individual (e.g., birth, admission, discharge, death).
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health Plan Beneficiary Numbers.
• Account numbers.
• Certificate or license numbers.
• Vehicle identifiers and serial numbers, including license plates.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric Identifiers (e.g., fingerprints, voiceprints, retinal/iris scans).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code.

Information Not Considered PHI

• De-identified data meeting HIPAA’s De-identification Standard (see below).
• Employment records held by an organization in its role as employer (even if the employer is a Covered Entity).
• Education records protected by FERPA and certain student treatment records maintained by schools.
• Information about a decedent more than 50 years after the date of death.
• Aggregated statistics that cannot identify an individual (e.g., hospital-wide infection rates without identifiers).

Note that information that never passes through a Covered Entity or business associate may also fall outside HIPAA, which is addressed in “Data Outside Covered Entities' Scope.”

De-identified Data

HIPAA permits use and disclosure of data that are de-identified under the De-identification Standard. De-identified data are not PHI.

Two permitted methods

• Safe Harbor: remove 18 types of identifiers for the individual and relatives/household/employers, and have no actual knowledge that the remaining information could identify the person.
• Expert Determination: a qualified expert applies accepted statistical or scientific principles to determine that the risk of re-identification is very small, and documents the methods and results.

A “limited data set” (which may include dates and some geography) is still PHI and can be shared only under a data use agreement. De-identification reduces privacy risk, but organizations should still guard against re-identification through data linkage.

Employment and Education Records

HIPAA excludes employment records maintained by a Covered Entity in its role as employer. For example, FMLA paperwork, employee vaccination records kept by HR, and fit-for-duty exam results held in personnel files are not PHI. However, if an employee receives care as a patient, those clinical records are PHI within the provider’s medical record.

HIPAA also excludes education records protected by FERPA and certain student treatment records. A school nurse’s notes in a K–12 record, or immunization documentation maintained by a school, are not PHI. Conversely, if a student receives care at a community clinic unaffiliated with the school, those records are PHI.

Data Outside Covered Entities' Scope

HIPAA generally does not apply to consumer health information collected or held solely by entities that are not Covered Entities or business associates. Common examples include fitness trackers, wellness and fertility apps, home DNA tests purchased directly by consumers, nutrition or meditation apps, and health data recorded in personal notes.

When such apps connect to a provider or health plan and exchange data, the information becomes PHI within the Covered Entity’s environment. The app developer itself is subject to HIPAA only if it acts as a business associate. Otherwise, other laws (e.g., state privacy statutes or consumer protection rules) may apply, but HIPAA would not.

In practice, always assess who created or received the data, for what purpose, and whether the information can identify a person. Doing so will help you determine whether it is PHI protected by HIPAA and apply appropriate safeguards.

FAQs.

What information qualifies as PHI under HIPAA?

PHI is Individually Identifiable Health Information about a person’s health, health care, or payment for care that is created, received, maintained, or transmitted by a Covered Entity or its business associate. If it can identify the person and relates to health, care, or payment in the hands of those entities, it is PHI.

How does HIPAA define a covered entity?

A Covered Entity is a health plan, most health care providers that transmit health information electronically in standard transactions, or a health care clearinghouse. Business associates are third parties that create, receive, maintain, or transmit PHI for a Covered Entity.

What types of data are excluded from PHI protection?

De-identified data, employment records held by an organization as an employer, education records protected by FERPA (and certain student treatment records), information about individuals deceased for more than 50 years, and non-identifiable aggregate statistics are not PHI. Data held solely by non-covered consumer apps may also fall outside HIPAA.

How is de-identified data treated under HIPAA?

Data de-identified via Safe Harbor or Expert Determination are not PHI and may be used or disclosed without HIPAA restrictions. A limited data set is not fully de-identified and remains PHI; it can be shared only under a data use agreement.