What Is PHI Under HIPAA? Protected Health Information, Examples, and Compliance Basics

Definition of PHI under HIPAA

Under the HIPAA Privacy Rule, Protected Health Information (PHI) is individually identifiable health information that a Covered Entity or its Business Associate creates, receives, maintains, or transmits. It relates to a person’s past, present, or future physical or mental health or condition, the provision of care, or payment for care.

PHI includes any information that identifies—or could reasonably be used to identify—the individual. It spans all formats: electronic PHI (ePHI), paper records, images, audio, and oral communications. The same data point can be PHI in one context (held by a provider) and not PHI in another (held by a consumer app with no HIPAA role).

PHI is broader than a “medical record.” It also covers billing details, eligibility files, benefit determinations, device telemetry tied to a patient, and scheduling logs—so long as the data can be linked to a specific person.

HIPAA Identifiers Constituting PHI

The 18 HIPAA Identifiers

HIPAA treats health information as PHI when it includes any of these identifiers (alone or combined) and can be tied to a person:

• Names
• Geographic subdivisions smaller than a state (for example, street address, city, county, and most ZIP codes)
• All elements of dates (except year) directly related to an individual, and ages over 89 when not aggregated
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (for example, fingerprints and voiceprints)
• Full-face photographs and comparable images
• Any other unique identifying number, characteristic, or code

De-Identification and re-identification

De-Identification removes a data set from PHI status. HIPAA recognizes two methods: (1) Expert Determination (a qualified expert applies statistical principles to conclude very small re-identification risk) and (2) Safe Harbor (removal of all 18 identifiers with no actual knowledge the data could still identify a person). Re-identification codes must not be derived from identifiers or disclosed beyond their intended use.

A “limited data set” (for research, public health, or operations) permits some quasi-identifiers (for example, city, state, dates) under a Data Use Agreement. A limited data set is still PHI and not fully de-identified.

Examples of PHI

Clinical and billing scenarios

• Progress notes, imaging results, and lab reports linked to a patient’s name or medical record number
• Prescriptions, medication administration records, and e-prescribing logs tied to a specific individual
• Claims, explanations of benefits, and prior-authorization files containing identifiers
• Referral letters or consult summaries that include patient demographics or contact details
• Appointment schedules or case-management lists that can identify a person

Digital and telehealth contexts

• Patient portal activity, audit logs, and messages associated with a known user
• IP addresses, device IDs, and cookies captured by a telehealth platform when linked to a patient account
• Remote monitoring data (for example, glucose or cardiac telemetry) transmitted to a provider and tied to a person

Oral and visual information

• Voicemails about diagnoses, treatments, or test results that name or reasonably identify the patient
• Call recordings from nurse advice lines containing identifiable health details
• Clinical photos, wound images, or videos that can reveal identity or are stored in the patient’s chart

Exclusions from PHI

Fully de-identified information is not PHI. Data that cannot reasonably identify an individual—via Expert Determination or Safe Harbor—falls outside HIPAA’s PHI scope. Aggregated statistics with no reasonable re-identification risk are also excluded.

Education records covered by FERPA and certain student treatment records are not PHI. Employment records held by a Covered Entity in its role as employer (for example, FMLA forms, workplace drug testing results) are not PHI under HIPAA, although other laws may apply.

Information about a person deceased for more than 50 years is no longer PHI. Consumer-generated health data held by entities that are not a Covered Entity or Business Associate (for example, many wellness or fitness apps with no HIPAA role) is typically not PHI, though consumer protection and state privacy laws may govern it.

Not an exclusion: limited data sets

A limited data set retains certain identifiers and remains PHI. Use requires a Data Use Agreement specifying permitted purposes, safeguards, and no re-identification without authorization.

HIPAA Compliance Requirements

Privacy Rule fundamentals

You must use and disclose PHI only as permitted—most commonly for treatment, payment, and healthcare operations—and apply the Minimum Necessary standard for other routine disclosures. Provide a Notice of Privacy Practices, obtain authorizations when required, and honor individual rights (access, amendments, restrictions, confidential communications, and an accounting of disclosures).

Security Rule expectations for ePHI

Implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards proportionate to your risks. Conduct a documented risk analysis, manage identified risks, maintain policies and procedures, train your workforce, and test your incident response plan.

Breach Notification Rule

Evaluate any impermissible use or disclosure of unsecured PHI through a risk assessment. When a breach occurs, notify affected individuals and the U.S. Department of Health and Human Services, and—in larger incidents—the media, within required timeframes. Business Associates must notify the Covered Entity without unreasonable delay.

Business Associate Agreements

Before sharing PHI with a vendor, execute a Business Associate Agreement that sets permitted uses/disclosures, requires safeguards, mandates breach reporting, and flows obligations to subcontractors. Monitor vendor performance and retain related documentation.

Governance and documentation

Designate privacy and security officers, train your workforce regularly, apply sanctions for violations, and retain required documentation (for example, policies, risk analyses, BAAs) for the legally required period. Review and update your program as technology, vendors, and workflows change.

Safeguarding PHI

Protect PHI through layered controls that match your risk profile and operations. Combine policy, facility, and technology measures to prevent, detect, and respond to threats.

Administrative Safeguards

• Enterprise-wide risk analysis and risk management plan
• Role-based access rules and the Minimum Necessary standard
• Vendor due diligence, Business Associate oversight, and Data Use Agreements where applicable
• Workforce training, sanction policies, and ongoing monitoring
• Documented incident response and contingency planning

Physical Safeguards

• Facility access controls, visitor management, and secure work areas
• Workstation/device security, locked storage, and screen privacy protections
• Media controls for device reuse and disposal (for example, wiping and destruction certificates)

Technical Safeguards

• Strong authentication, role-based authorization, and session timeouts
• Encryption in transit and at rest for ePHI wherever feasible
• Audit logs, anomaly detection, and regular access reviews
• Data loss prevention, endpoint protection, and timely patching
• Segmentation, zero-trust principles, and secure APIs for interoperability

Practical operational tips

• Data minimization: collect and keep only what you need for defined purposes
• Standardized de-identification and pseudonymization workflows for analytics
• Clear procedures for right-of-access requests and secure record sharing
• Regular tabletop exercises to test breach response and communications

Role of Covered Entities and Business Associates

A Covered Entity includes healthcare providers that transmit health information electronically in standard transactions, health plans, and healthcare clearinghouses. You determine why and how PHI is used or disclosed and are accountable for your workforce and policies.

A Business Associate performs services for or on behalf of a Covered Entity that involve PHI (for example, cloud hosting, billing, transcription, analytics). Business Associates must implement safeguards, limit uses/disclosures to contract terms, and notify of breaches; their subcontractors with PHI are held to the same standards.

Both parties should apply the Minimum Necessary standard, maintain appropriate BAAs, enforce access controls, and coordinate incident handling. Clear data flows, purpose limitations, and monitoring reduce risk and support compliance.

Summary and next steps

PHI under HIPAA is any identifiable health information held by a Covered Entity or Business Associate. Know the identifiers, apply the HIPAA Privacy Rule, and implement Administrative, Physical, and Technical Safeguards. Build governance, vet vendors, and use De-Identification where possible to reduce risk and enable responsible data use.

FAQs.

What types of information are considered PHI under HIPAA?

PHI includes any health-related information that identifies a person—or could reasonably identify them—when created, received, maintained, or transmitted by a Covered Entity or Business Associate. It spans clinical notes, lab results, billing records, images, audio, and digital logs containing any of the 18 HIPAA identifiers across electronic, paper, and oral formats.

How can covered entities ensure compliance with HIPAA for PHI?

Establish a privacy and security program aligned to the HIPAA Privacy Rule and Security Rule: perform risk analyses, implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards, train your workforce, manage vendors with BAAs, apply the Minimum Necessary standard, document policies and decisions, and maintain a tested incident response and breach notification process.

What information is excluded from the definition of PHI?

Data that is properly de-identified under HIPAA is not PHI. Also excluded are FERPA-covered education records and certain student treatment records, employment records held by a Covered Entity in its role as employer, information about individuals who have been deceased for more than 50 years, and consumer health data held by entities that are not acting as a Covered Entity or Business Associate.