What Is PHI Under HIPAA? Definition of Protected Health Information

Definition of Protected Health Information

Under HIPAA, Protected Health Information (PHI) is any Individually Identifiable Health Information that relates to a person’s past, present, or future physical or mental health, the provision of health care, or payment for care. If the information can identify the individual—or there is a reasonable basis to believe it could—it is PHI.

PHI must be created or received by a Covered Entity or its Business Associate. That means data held by health plans, most health care providers, health care clearinghouses, and vendors servicing them can be PHI. Information in a consumer app that never touches a covered entity is generally not PHI unless you share it with your provider or plan.

Core elements of the definition

• Links to a person’s health, care, or payment for care.
• Identifies the individual directly or indirectly.
• Is created or received by a Covered Entity or Business Associate.
• Exists in any form or medium—electronic, paper, or oral.

Exclusions from PHI

Not every health-related fact is PHI. HIPAA carves out specific exclusions so you know what falls outside the rule’s protections and obligations.

What is not PHI

• De-identified information: Data stripped of identifiers so the person cannot be identified. De-identification can be done by safe harbor (removing specified identifiers) or expert determination.
• Education records and certain treatment records covered by the Family Educational Rights and Privacy Act: FERPA-governed records at schools are not PHI.
• Employment records held by a covered entity in its role as employer (for example, workplace injury logs kept for HR purposes).
• Information about an individual who has been deceased for more than 50 years.

Common misconceptions

• A Limited Data Set (with some identifiers removed) is still PHI and requires a data use agreement.
• Data that identifies a clinician, organization, or device but not a patient is not PHI.
• Consumer-generated health data becomes PHI once a Covered Entity or Business Associate receives or maintains it.

Examples of PHI

These identifiers, when linked to health, care, or payment details, make information PHI. The list reflects the Privacy Rule’s well-known identifiers.

Common identifiers

• Names.
• Geographic subdivisions smaller than a state (for example, street address, city, ZIP code).
• All elements of dates (except year) related to an individual (such as birth, admission, discharge, or death dates).
• Telephone numbers and fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health Plan Beneficiary Number.
• Account numbers.
• Certificate and license numbers.
• Vehicle identifiers and license plate numbers.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric Identifiers (for example, fingerprints or voiceprints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code.

Real-world PHI examples

• Lab results tied to a patient’s name or medical record number.
• Insurance claims containing dates of service and member IDs.
• Clinical notes, imaging, and prescriptions associated with identifiable patient details.
• Portal messages, appointment reminders, or billing statements that include patient identifiers.

Covered Entities and Business Associates

A Covered Entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in standard transactions. If you are in one of these categories, HIPAA applies directly to your handling of PHI.

A Business Associate is any person or organization that performs services for a Covered Entity involving the use or disclosure of PHI. Examples include EHR vendors, billing services, cloud storage providers that host ePHI, telehealth platforms, attorneys, and consultants. Business Associates must sign Business Associate Agreements and safeguard PHI; their relevant subcontractors must do the same.

Obligations at a glance

• Covered Entities: Follow the Privacy, Security, and Breach Notification Rules; provide patient rights; apply the minimum necessary standard.
• Business Associates: Implement safeguards, use or disclose PHI only as permitted by contract and HIPAA, and report breaches.

Forms and Mediums of PHI

PHI can exist in any format. Your compliance program should account for each medium where data is created, stored, transmitted, or discussed.

Electronic PHI (ePHI)

• EHR systems, patient portals, e-prescribing, billing files, email and secure messaging.
• Cloud backups, mobile devices, wearables, and system logs that contain identifiers.
• Images and waveforms stored digitally (for example, radiology, ECG).

Paper PHI

• Printed charts, intake forms, referral letters, and mailed statements.
• Faxes and printed reports awaiting pickup or shredding.

Oral PHI

• Conversations about a patient’s condition, handoffs, and phone calls.
• Voicemail messages that contain identifiable health details.

Importance of PHI Compliance

Protecting PHI safeguards patient trust, reduces legal and financial risk, and supports care coordination. You are expected to limit uses and disclosures to the minimum necessary and to verify recipient identity before sharing PHI.

Privacy, Security, and Breach pillars

• Privacy Rule: Establish policies for uses and disclosures, workforce training, and sanctions; distribute a Notice of Privacy Practices.
• Security Rule: Implement administrative, physical, and technical safeguards—risk analysis, access controls, audit logging, encryption in transit and at rest, and contingency plans.
• Breach Notification Rule: Identify and document incidents, assess risk of compromise, notify affected individuals and regulators when required, and mitigate harm.

Operational best practices

• Perform periodic risk assessments and update controls as systems change.
• Use role-based access, strong authentication, and timely termination of accounts.
• Execute and manage Business Associate Agreements; monitor vendors handling ePHI.
• Shred or securely dispose of paper and media; mask PHI in screenshots and demos.

PHI and Patient Rights

HIPAA grants individuals several rights over their PHI. You must have processes to honor these requests promptly and consistently.

• Right of access: Patients can inspect or obtain copies of their PHI, including an electronic copy of ePHI when available.
• Right to request amendments: Individuals may request corrections if information is inaccurate or incomplete.
• Right to an accounting of disclosures: Patients can request a record of certain disclosures made outside treatment, payment, and health care operations.
• Right to request restrictions: Patients may ask you to limit certain uses or disclosures; you must honor specific restrictions in some payment-related situations.
• Right to confidential communications: Patients can request alternative contact methods or locations.
• Right to a Notice of Privacy Practices and to file a complaint without retaliation.

In short, PHI is any Individually Identifiable Health Information held by a Covered Entity or Business Associate in any form. Knowing the exclusions, recognizing common identifiers, and operationalizing privacy and security requirements helps you protect patients while enabling care and innovation.

FAQs

What types of information are considered PHI under HIPAA?

PHI includes health, care, or payment information that can identify a person and is created or received by a Covered Entity or Business Associate. Examples range from names, dates, addresses, and medical record numbers to device IDs, IP addresses, Biometric Identifiers, full-face photos, and a Health Plan Beneficiary Number when those details relate to health care.

How does HIPAA define a covered entity?

A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in standard transactions. If you fit one of these categories, HIPAA’s Privacy, Security, and Breach Notification Rules apply to your handling of PHI.

Are education records included in PHI?

No. Education records (and certain treatment records) governed by the Family Educational Rights and Privacy Act are not PHI. Those records follow FERPA, not HIPAA, even though they may contain sensitive health details.

What protections does HIPAA provide for PHI?

HIPAA sets privacy rules for when PHI can be used or disclosed, security standards for safeguarding Electronic PHI, and breach notification requirements when unsecured PHI is compromised. It also grants patients rights such as access, amendment, accounting of disclosures, restrictions, and confidential communications.