What Is PHI Under HIPAA? Definition, Examples, and What’s Covered

Understanding what counts as Protected Health Information (PHI) under HIPAA helps you classify data correctly, limit risk, and design compliant workflows. This guide explains the definition, provides concrete examples, clarifies exclusions, and outlines who must comply and how de-identification works.

Definition of PHI

Under the HIPAA Privacy Rule, PHI is Individually Identifiable Health Information that relates to a person’s past, present, or future physical or mental health or condition, the provision of care, or payment for care. It qualifies as PHI when it is created, received, maintained, or transmitted by Covered Entities or their Business Associates in any form—electronic, paper, or oral.

“Individually identifiable” means the information either directly identifies a person or can reasonably be used to do so. Electronic PHI (ePHI) is simply PHI in digital form. By contrast, De-Identified Data that cannot identify an individual is not PHI and falls outside HIPAA’s scope.

Examples of PHI

PHI arises when a health detail is linked to an identifier. Typical examples include clinical, billing, and operational records connected to a patient’s identity.

• Clinical data tied to an individual: diagnoses, lab results, imaging reports, medication lists, treatment plans, progress notes, and care coordination records.
• Payment and operations data: claim forms, explanations of benefits, prior authorizations, remittance advice, and utilization reviews connected to a person.
• Communications and portals: patient portal messages, secure emails with providers, telehealth chat logs, and appointment reminders that include identifying details.
• Device and monitoring data: remote patient monitoring feeds, medical device serial numbers, and wearable outputs when linked to an account or profile.

Common identifiers that make health information PHI include the HIPAA “18 identifiers”:

• Names.
• Geographic subdivisions smaller than a state (for example, street address, city, county, and certain ZIP code details).
• All elements of dates (except year) related to an individual (such as birth, admission, discharge, or death dates).
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health Plan Beneficiary Numbers.
• Account numbers.
• Certificate or license numbers.
• Vehicle identifiers and license plate numbers.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric Identifiers (for example, fingerprints and voiceprints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code.

Exclusions from PHI

Not all health-related information is PHI. Key exclusions include:

• De-Identified Data that meets HIPAA standards (safe harbor or expert determination).
• Education records subject to FERPA.
• Employment records maintained by a Covered Entity in its role as employer (for example, sick notes kept in HR files).
• Information about a person who has been deceased for more than 50 years.
• Data held solely by entities that are neither Covered Entities nor Business Associates (for example, certain consumer health apps operating independently of providers or plans). If such an app handles data on behalf of a provider or plan, those same data may become PHI.

Note: A “limited data set” (which may include dates and some geography) is still PHI, but it may be shared for specific purposes under a Data Use Agreement.

Forms of PHI Transmission

PHI can exist and move across multiple media and channels. You should map each flow to apply appropriate protections.

• Electronic: EHR systems, patient portals, health information exchanges, e-prescribing networks, secure email, SFTP, cloud storage, mobile apps, imaging systems, backup media, and connected medical devices.
• Paper: intake forms, printed records, labels, mailed correspondence, and faxes.
• Oral: consultations, care coordination calls, voicemails, and telehealth sessions.

The HIPAA Security Rule applies to ePHI, while the Privacy Rule covers PHI in any form, including paper and oral disclosures.

Covered Entities and Business Associates

Covered Entities include health care providers that conduct standard electronic transactions (such as claims), health plans (insurers, employer-sponsored plans, government programs), and health care clearinghouses. They are directly responsible for protecting PHI.

Business Associates are vendors or subcontractors that create, receive, maintain, or transmit PHI for a Covered Entity. Examples include EHR and cloud providers, billing services, transcription companies, analytics firms, and certain marketing or consulting partners. A Business Associate Agreement (BAA) is required and must flow down to subcontractors handling PHI.

HIPAA Compliance Requirements

To handle PHI lawfully, you must implement the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. Core expectations include:

• Privacy Rule practices: define permissible uses and disclosures, apply the minimum necessary standard, publish a Notice of Privacy Practices, obtain and manage authorizations where required, and honor individual rights (access, amendment, accounting of disclosures, restrictions, and confidential communications).
• Security Rule safeguards for ePHI:
  • Administrative: risk analysis and management, policies and procedures, workforce training, sanctions, contingency planning, vendor oversight, and BAAs.
  • Physical: facility access controls, workstation and device security, media reuse and disposal, and visitor management.
  • Technical: unique user IDs and role-based access, multi-factor authentication where feasible, automatic logoff, encryption at rest and in transit, audit controls and monitoring, integrity controls, and transmission security.
• Breach response: investigate incidents, assess risk to PHI, mitigate harm, notify affected individuals (and regulators or media when required), and document actions.
• Governance: assign responsible officials, review safeguards regularly, keep thorough documentation, and update programs as systems, vendors, or risks change.

Data De-Identification Processes

HIPAA recognizes two paths to create De-Identified Data that is no longer PHI:

• Safe harbor: remove the 18 identifiers listed above and have no actual knowledge that remaining data could identify a person, alone or in combination.
• Expert determination: a qualified expert applies statistical or scientific methods to conclude the risk of re-identification is very small, and documents the methodology and results.

Re-identification codes may be assigned if the code cannot be translated to identify the individual and is not derived from personal attributes. Remember, a limited data set—with dates and some geography—remains PHI and requires a Data Use Agreement, whereas fully de-identified outputs fall outside HIPAA.

In practice, combine technical controls (suppression, generalization, perturbation), policy controls (data use limitations), and governance (review and monitoring) to keep re-identification risk low over time.

In summary, PHI is any Individually Identifiable Health Information handled by Covered Entities or Business Associates. Correctly classifying data, restricting use to the minimum necessary, implementing robust safeguards, and using validated de-identification methods help you comply with the HIPAA Privacy Rule while enabling appropriate data use.

FAQs

What types of information are considered PHI under HIPAA?

PHI includes health-related information linked to an identifiable person and handled by a Covered Entity or Business Associate. It spans clinical notes, lab results, claims, and communications when paired with identifiers such as names, addresses, dates (except year), Social Security numbers, medical record numbers, Health Plan Beneficiary Numbers, Biometric Identifiers, full-face photos, and similar unique identifiers.

How does HIPAA regulate the handling of PHI?

HIPAA sets privacy rules for when PHI may be used or disclosed, security safeguards for ePHI, and breach notification duties. You must apply the minimum necessary standard, provide a Notice of Privacy Practices, honor individual rights, implement administrative, physical, and technical protections, manage vendors via BAAs, and document and report incidents as required.

What data is excluded from PHI?

De-Identified Data, education records covered by FERPA, employment records kept by an employer, information about individuals deceased for more than 50 years, and health data held only by entities that are not Covered Entities or Business Associates are excluded. Note that a limited data set is not de-identified and remains PHI.

How is data de-identified under HIPAA?

You can use the safe harbor method by removing the 18 identifiers and ensuring no residual identification risk, or the expert determination method where a qualified expert documents that the risk of re-identification is very small. Proper governance, technical techniques, and periodic reviews help maintain that low risk over time.