What Is PHI Under HIPAA? A Context‑First Guide to What Counts—and What Doesn’t

Definition of PHI Under HIPAA

Core definition

Protected Health Information (PHI) is individually identifiable health information created, received, maintained, or transmitted by a covered entity or its business associate. It relates to a person’s past, present, or future physical or mental health, the provision of healthcare, or payment for healthcare—and it identifies the person or could reasonably be used to identify them.

In practice, PHI is about context as much as content. A lab result, an appointment reminder, or a claim number becomes PHI because it is handled within the healthcare system and linked to an identifiable person. That context triggers HIPAA Privacy Rule obligations and Health Information Security safeguards.

Context-first illustrations

• A hospital’s patient portal message that includes your name and test date is PHI because a covered entity is involved and the data can identify you.
• The same heart-rate reading in a consumer fitness app may not be PHI if the app is not acting on behalf of a covered entity; it might be subject to other laws, but not HIPAA.
• Employer-held medical notes for leave decisions are generally employment records, not PHI, even if the employer also runs a health clinic.

HIPAA Privacy Rule Overview

Scope and actors

The HIPAA Privacy Rule sets national standards for how PHI is used and disclosed. It applies to covered entities—health plans, healthcare clearinghouses, and healthcare providers who conduct standard electronic transactions—and to business associates that handle PHI on their behalf. Together, they form the operational core of healthcare compliance.

Permitted uses and disclosures

Covered entities may use or disclose PHI without authorization for treatment, payment, and healthcare operations, and for other specified purposes such as certain public health activities. Outside these bases, you typically need an individual’s valid authorization. The “minimum necessary” standard requires limiting PHI to the least amount needed for the task.

Individual rights

You have key rights over your PHI, including the right to access and obtain copies, request amendments, receive an accounting of certain disclosures, request restrictions, and ask for confidential communications. Providers must explain these rights in a Notice of Privacy Practices.

Security and breach notification

While the Privacy Rule governs permissible uses, the HIPAA Security Rule requires administrative, physical, and technical safeguards for electronic PHI (ePHI). If unsecured PHI is breached, the Breach Notification Rule requires timely notifications to affected individuals and, in certain cases, regulators and media.

Eighteen Identifiers That Define PHI

The “safe harbor” PHI identifiers

Data are considered de-identified under HIPAA’s safe harbor only when all of the following identifiers are removed and the covered entity has no actual knowledge that remaining information could identify the individual:

• Names.
• Geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code, and similar), except the initial three ZIP digits if the corresponding area has a sufficiently large population.
• All elements of dates (except year) directly related to an individual, including birth, admission, discharge, death; ages over 89 and related date elements (which may be grouped as 90+).
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate/license numbers.
• Vehicle identifiers and serial numbers, including license plate numbers.
• Device identifiers and serial numbers.
• Web URLs.
• IP address numbers.
• Biometric identifiers (for example, finger and voice prints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code.

When any of these PHI identifiers remain linked to health data in a covered-entity context, the information is PHI. Understanding this list is central to data de-identification and compliant use of health information.

Forms of PHI: Electronic, Paper, and Oral

Electronic PHI (ePHI)

ePHI includes PHI stored or transmitted electronically—EHR entries, billing databases, lab interfaces, emails, texts, patient portal messages, images, backups, and audit logs. Health Information Security controls such as encryption, access control, and audit trails are essential for safeguarding ePHI.

Paper PHI

Paper charts, printed claims, faxed referrals, and mailed explanations of benefits can all contain PHI. Secure storage, controlled printing, cover sheets, and proper shredding or destruction are required to prevent unauthorized access.

Oral PHI

Spoken information—care team rounds, call center interactions, or conversations at the front desk—can be PHI. Reasonable safeguards include private discussion areas, voice-lowering practices, and verifying identities before sharing details over the phone.

Exclusions from PHI Classification

De-identified data

Information is not PHI if it has been de-identified either by removing all PHI identifiers (safe harbor) or via expert determination showing very small re-identification risk. De-identified datasets may be used and disclosed without HIPAA restrictions.

Limited data sets

A limited data set excludes many identifiers but may retain certain elements (for example, dates and some geography like city, state, ZIP). It is still PHI but can be used for research, public health, or operations under a Data Use Agreement that adds safeguards against re-identification.

Other explicit exclusions

• Education records and treatment records covered by FERPA.
• Employment records held by a covered entity in its role as employer.
• Information about individuals deceased for more than 50 years.
• Consumer-generated health information collected directly by apps or devices not acting on behalf of a covered entity or business associate.

These exclusions prevent overreach while maintaining strong privacy protections where healthcare compliance truly applies.

Responsibilities of Covered Entities

Governance and policy

Designate privacy and security officials, implement written policies and procedures, and train the workforce regularly. Maintain sanctions for violations and document decisions to demonstrate compliance with the HIPAA Privacy Rule and Security Rule.

Minimum necessary and role-based access

Adopt role-based access so staff see only what they need. Apply the minimum necessary standard to routine uses and disclosures, and incorporate it into queries, report designs, and data exports.

Individual rights operations

Provide timely access to PHI in the requested format when feasible, respond to amendment requests, track certain disclosures, and honor reasonable requests for confidential communications or restrictions where required.

Business associates and vendors

Evaluate vendors for PHI handling, execute Business Associate Agreements, and monitor performance. Ensure downstream subcontractors meet equivalent safeguards for PHI identifiers and individually identifiable health information.

Risk management and incident response

Conduct risk analyses, address findings, and monitor controls. Maintain an incident response plan to identify, contain, investigate, and notify after potential breaches of unsecured PHI.

Safeguarding and Using PHI Responsibly

Practical safeguards to implement now

• Encrypt ePHI at rest and in transit; use modern protocols and endpoint protection.
• Enable multi-factor authentication, strong passwords, and automatic logoff.
• Apply data loss prevention, audit logging, and alerts for anomalous access.
• Limit downloads and exports; prefer viewer modes and masked fields for PHI identifiers.
• Secure messaging for care coordination; avoid unapproved channels for PHI.
• Use secure disposal for paper and media; control printers and copiers.
• De-identify or use limited data sets when full identifiers are not necessary.
• Regularly train staff on privacy, phishing, and minimum necessary practices.

Ethical, compliant use

Align every use of PHI with a clear purpose—treatment, payment, operations, or another permitted basis—and document authorizations when required (for example, most marketing uses). Build privacy by design into workflows so healthcare compliance is routine, not reactive.

Conclusion

Understanding what counts as PHI under HIPAA comes down to context, identifiers, and stewardship. Identify when data are individually identifiable health information, remove or limit PHI identifiers when possible, and apply right-sized safeguards across electronic, paper, and oral forms. Doing so protects patients and strengthens trust in your organization.

FAQs

What types of information qualify as PHI under HIPAA?

Any individually identifiable health information handled by a covered entity or its business associate that relates to health, care delivery, or payment is PHI. If an item could identify a person—alone or combined with other details—and it sits in the healthcare context, it is PHI.

Who are covered entities responsible for PHI protection?

Covered entities include healthcare providers who conduct standard electronic transactions, health plans, and healthcare clearinghouses. They must protect PHI across all forms and ensure business associates that create, receive, maintain, or transmit PHI also implement appropriate safeguards.

How does HIPAA define identifiable data?

Data are identifiable if they include direct identifiers (like name or SSN) or information that could reasonably be used to identify a person. HIPAA’s safe harbor lists 18 PHI identifiers; removing them—or using expert determination—reduces data to a de-identified state.

What information is excluded from PHI under HIPAA?

De-identified data, limited data sets used under a Data Use Agreement, education records under FERPA, employment records held by an employer, information about individuals deceased for more than 50 years, and consumer health data gathered outside the covered-entity context are not PHI under HIPAA.