What Is PHI? Protected Health Information Definition and Complete List

Definition of Protected Health Information

What “PHI” means under HIPAA

Protected Health Information (PHI) is individually identifiable health information about a person’s past, present, or future physical or mental health, the provision of health care, or payment for care, that is created, received, maintained, or transmitted by a covered entity or its business associate. PHI includes patient health data in any medium—electronic, paper, or oral.

HIPAA focuses on two elements: identity and context. If data can identify an individual (alone or when combined with other data) and it relates to health, care, or payment, it is PHI. Demographic information becomes PHI when it’s linked to a health context, such as a diagnosis attached to a name or a claim tied to an address.

Forms and transmission

PHI can exist in EHR systems, billing platforms, paper files, call recordings, and text or email threads. Health information transmission between covered entities and business associates—whether over networks, APIs, fax, or voicemail—remains PHI throughout its lifecycle.

HIPAA Privacy Rule Overview

Purpose and scope

The HIPAA Privacy Rule sets national standards for how covered entities and business associates use and disclose PHI. It balances patient privacy with allowed information flows needed for treatment, payment, and health care operations (TPO) without requiring patient authorization.

Authorization and minimum necessary

Uses or disclosures outside of TPO—such as most marketing—generally require a valid authorization. For non-treatment purposes, organizations must limit PHI to the minimum necessary to accomplish the task, reinforcing privacy by design.

Governance, safeguards, and breaches

Covered entities must provide a Notice of Privacy Practices, train workforce members, and execute business associate agreements. The HIPAA Security Rule complements the Privacy Rule by requiring safeguards for electronic PHI, and the Breach Notification Rule mandates notifications when unsecured PHI is compromised.

Types of Information Classified as PHI

Common PHI content areas

• Clinical data: diagnoses, lab results, imaging, treatment plans, progress notes, prescriptions.
• Administrative and financial data: eligibility, claims, explanations of benefits, billing records, payment histories.
• Patient communications: portal messages, emails, texts, call recordings that discuss care or payment.
• Identifiers embedded in technology: device serial numbers tied to a patient, portal usernames, audit logs with user IDs.
• Sensitive categories: mental health information, substance use treatment records, genetic and biometric data held by a covered entity.

The complete list of HIPAA identifiers

Information is “individually identifiable” if it contains one or more of these 18 identifiers:

• Names.
• Geographic subdivisions smaller than a state (e.g., street address, city, county, precinct, most ZIP codes).
• All elements of dates (except year) directly related to an individual, and ages over 89 (aggregated to 90+).
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate or license numbers.
• Vehicle identifiers and serial numbers, including license plates.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric identifiers (e.g., fingerprints, voiceprints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code.

Covered Entities and Business Associates

Covered entities

A covered entity is a health care provider that transmits health information electronically in standard transactions, a health plan (e.g., insurer, HMO, employer-sponsored plan), or a health care clearinghouse. When these organizations handle individually identifiable health information, it is PHI.

Business associates

A business associate is any vendor or partner that creates, receives, maintains, or transmits PHI for a covered entity, such as an EHR vendor, cloud service provider, billing company, claims administrator, or analytics firm. Subcontractors that handle PHI are also business associates.

Agreements and responsibilities

Covered entities must have business associate agreements that outline permissible uses and disclosures, require safeguards, and flow down obligations to subcontractors. Business associates are directly accountable for HIPAA compliance when handling PHI.

Consumer apps nuance

Health information a consumer enters into a general-purpose app not offered by or acting for a covered entity is usually not PHI. If the app operates on behalf of a provider or plan, the same data becomes PHI because it is handled by a covered entity or business associate.

Examples of PHI

• A lab result linked to a patient’s name and date of birth.
• Clinic visit notes stored in an EHR with a medical record number.
• An insurance claim showing diagnosis codes, member ID, and dates of service.
• An appointment reminder that includes the patient’s name and visit date.
• A prescription record with the patient’s address and pharmacy account number.
• A telehealth recording that captures the patient’s face and treatment discussion.
• A patient portal message discussing symptoms with an attached photo.
• Imaging files (e.g., DICOM) containing embedded identifiers.
• Wearable data transmitted to a provider and tied to the patient’s profile.
• Audit logs showing a user’s IP address and username within a patient account.
• Payment receipts that include the patient’s name and service details.
• Care management spreadsheets listing diagnoses alongside contact details.

Exclusions from PHI

De-identified information

Data is not PHI if it is de-identified so that individuals cannot reasonably be identified. HIPAA recognizes two methods: Safe Harbor (removing all 18 identifiers, including most ZIP codes and precise dates) and Expert Determination (a qualified expert documents a very small re-identification risk).

Other common exclusions

• Education records covered by FERPA.
• Employment records held by a covered entity in its role as employer.
• Information about a person deceased for more than 50 years.
• Consumer-generated health data collected by apps not acting for a covered entity or business associate.
• Aggregated statistics that cannot identify any individual.

Clarification on limited data sets

A HIPAA Limited Data Set excludes many direct identifiers but is still PHI. It may be used or disclosed for research, public health, or operations under a data use agreement; it is not an exclusion.

Patient Rights Under HIPAA

Access and copies

You have the right to access, inspect, and obtain copies of your PHI in the format you request if readily producible, including electronic copies. You may also direct a copy to a third party of your choosing.

Amendments and corrections

You can request an amendment to your PHI if you believe it is inaccurate or incomplete. Providers must respond in writing and, if they deny the request, allow you to submit a statement of disagreement.

Restrictions and confidential communications

You may request limits on certain disclosures, and providers must agree when you pay in full out of pocket and ask that information not be shared with your health plan. You can also request communications at alternative locations or via alternative means.

Accounting, notices, and complaints

You may receive an accounting of certain disclosures, obtain a Notice of Privacy Practices explaining how your information is used, and file a complaint if you believe your rights have been violated.

Conclusion

PHI is any individually identifiable health information handled by a covered entity or business associate in connection with care or payment. The HIPAA Privacy Rule governs when PHI may be used or disclosed, details exclusions like de-identified data, and grants patients robust rights. Understanding these fundamentals helps you manage patient health data responsibly and compliantly.

FAQs.

What constitutes protected health information?

PHI is individually identifiable health information related to a person’s health status, care, or payment that is created, received, maintained, or transmitted by a covered entity or business associate. It includes demographic information when linked to a health context and any of the 18 HIPAA identifiers.

How does HIPAA protect PHI?

The HIPAA Privacy Rule sets rules for using and disclosing PHI, permitting TPO uses without authorization and requiring authorizations for most other purposes. The Security Rule mandates safeguards for electronic PHI, and the Breach Notification Rule requires notices when unsecured PHI is compromised.

Who is considered a covered entity?

Covered entities include health care providers that conduct standard electronic transactions, health plans such as insurers and HMOs, and health care clearinghouses. When these organizations handle individually identifiable health information, it is PHI under HIPAA.

What types of information are excluded from PHI?

Exclusions include de-identified data (via Safe Harbor or Expert Determination), education records under FERPA, employment records a covered entity keeps as an employer, information about individuals deceased more than 50 years, and consumer health data not handled by a covered entity or business associate.