What Is Protected Health Information (PHI)? A Clear Definition Under HIPAA

Overview of PHI

Protected Health Information (PHI) is Individually Identifiable Health Information created or received by a healthcare organization that relates to a person’s health status, care, or payment for care. Under HIPAA in the United States, PHI can exist in any medium—oral, paper, or electronic.

PHI attaches when a Covered Entity or its Business Associate holds or transmits the data. Electronic Protected Health Information (ePHI) is simply PHI in digital form and is subject to specific Security Rule requirements. The goal is to balance data use for care and operations with strong health information confidentiality.

Identifiable Health Information

Information is “individually identifiable” when it either directly identifies a person or could reasonably be used to identify them. If health data is de-identified so it can no longer identify someone, it is no longer PHI.

The 18 HIPAA identifiers that make data identifiable

• Names
• Geographic details smaller than a state (street address, city, county, precinct, ZIP code with limited exceptions)
• All elements of dates (except year) related to an individual; ages over 89 must be aggregated as 90+
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate or license numbers
• Vehicle identifiers and serial numbers, including license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (e.g., fingerprints, voiceprints)
• Full-face photos and comparable images
• Any other unique identifying number, characteristic, or code

De-identified and limited data sets

Data is considered de-identified if all 18 identifiers are removed under the Safe Harbor method or an expert determines the risk of re-identification is very small. A limited data set removes direct identifiers but may keep elements like city, state, ZIP, and dates; it requires a data use agreement.

Forms of PHI

PHI appears in many forms: spoken details during a visit, printed records, and Electronic Protected Health Information (ePHI) within EHRs, portals, and cloud systems. The medium does not change your obligations—only the safeguards differ.

Common examples

• Clinical notes, lab results, diagnostic images, and prescriptions
• Claims, billing statements, and remittance details
• Appointment records, call recordings, and voicemail containing health details
• Patient portal messages, secure emails, and telehealth session logs
• Wearable or remote-monitoring data when managed for a provider or health plan

Borderline situations

Consumer apps and devices may not be subject to HIPAA unless they handle data on behalf of a Covered Entity. When a provider directs you to use a vendor that signs a Business Associate agreement, the resulting information becomes PHI.

Covered Entities and Business Associates

Covered Entities include health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in standard transactions. They drive compliance and remain accountable for how PHI is used and disclosed.

Business Associates are vendors or partners that create, receive, maintain, or transmit PHI for a Covered Entity. Examples include EHR platforms, billing services, cloud hosts, e-fax providers, analytics firms, and consultants. Subcontractors that handle PHI are also Business Associates.

Agreements and responsibilities

Covered Entities must execute Business Associate Agreements that set permitted uses, require safeguards, and mandate breach reporting. Business Associates must implement HIPAA Security Rule controls for ePHI and follow relevant Privacy Rule provisions, aligning with recognized data security standards.

HIPAA Privacy Rule Protections

The HIPAA Privacy Rule governs how PHI may be used and disclosed, embedding the “minimum necessary” standard to preserve health information confidentiality. It permits use for treatment, payment, and healthcare operations, while other uses typically require your written authorization.

You have specific rights: to access and obtain copies of your PHI, request amendments, receive an accounting of certain disclosures, request restrictions, and ask for confidential communications. Organizations must provide a Notice of Privacy Practices explaining how they use PHI and your rights.

De-identified information is not PHI and may be used more freely. Limited data sets may be shared for research, public health, or operations under a data use agreement that restricts re-identification.

PHI Security Requirements

The HIPAA Security Rule sets risk-based Data Security Standards for protecting ePHI across administrative, physical, and technical safeguards. The rule is flexible but expects documented risk analysis and effective, measurable controls.

Administrative safeguards

• Enterprise risk analysis and risk management program
• Policies, procedures, workforce training, and sanctions
• Assigned security responsibility and third-party/vendor risk management
• Contingency planning, including backups and disaster recovery testing
• Formal incident response and breach handling processes

Physical safeguards

• Facility access controls and visitor management
• Workstation and device protections, privacy screens, and secure locations
• Media handling, encryption-enabled storage, and secure disposal

Technical safeguards

• Access controls with unique IDs, role-based access, and multi-factor authentication
• Encryption in transit and at rest based on risk assessment and industry norms
• Audit logging, monitoring, and regular review of access patterns
• Integrity controls, anti-malware, patching, and vulnerability management
• Transmission security, segmentation, and data loss prevention

Practical implementation

• Map data flows for PHI/ePHI and remove unnecessary exposure
• Prioritize high-impact risks; document decisions and compensating controls
• Harden identities and endpoints; limit access to the minimum necessary
• Test backups and restoration; practice tabletop incident drills
• Continuously train your workforce and verify vendor controls

Compliance and Enforcement

HIPAA is enforced by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). Organizations must document their compliance program, conduct periodic risk analyses, and report qualifying breaches to individuals, OCR, and sometimes the media within required timeframes.

OCR uses a tiered civil penalty framework based on the organization’s culpability and corrective actions. Remedies may include corrective action plans, monitoring, and civil monetary penalties. Willful neglect, especially if uncorrected, carries the highest exposure.

Criminal penalties may apply for knowingly obtaining or disclosing PHI in violation of HIPAA, with heightened sanctions for offenses committed under false pretenses or for personal gain. State attorneys general can also bring actions, and state privacy laws may impose additional obligations.

Building a sustainable program

• Appoint privacy and security officers with authority and resources
• Complete an enterprise-wide risk analysis and update it regularly
• Maintain clear policies, workforce training, and sanctions for violations
• Inventory Business Associates and execute robust agreements
• Establish incident response, breach notification, and continuous improvement cycles

Conclusion

PHI encompasses Individually Identifiable Health Information across paper, oral, and electronic forms. The HIPAA Privacy Rule sets boundaries for use and disclosure, while the Security Rule defines risk-based safeguards for ePHI. By aligning operations with these standards and strengthening vendor oversight, you protect patients, meet compliance duties, and reduce breach risk.

FAQs.

What information qualifies as protected health information?

PHI is health-related information held by a Covered Entity or Business Associate that can identify you directly or indirectly. It includes details about your health, care, or payment combined with identifiers like name, dates, address, medical record numbers, or device and network identifiers.

How does HIPAA protect PHI?

HIPAA safeguards PHI through the HIPAA Privacy Rule, which controls uses and disclosures and grants you rights over your data, and the Security Rule, which sets Data Security Standards for ePHI. It also requires breach notification and enforces the minimum necessary principle to maintain health information confidentiality.

Who must comply with PHI regulations?

Covered Entities—health plans, healthcare clearinghouses, and providers conducting standard electronic transactions—and their Business Associates must comply. Subcontractors that handle PHI for a Business Associate are also in scope, and the workforce of each entity must follow the organization’s HIPAA policies.

What are the penalties for PHI breaches?

OCR can require corrective action plans and impose tiered civil monetary penalties based on factors like negligence and timely remediation. Serious or intentional violations can trigger criminal charges. State attorneys general may bring actions, and breaches also carry reputational harm and contractual liabilities.