What Is Protected Health Information (PHI)? Definition, Examples, and HIPAA Basics

Protected Health Information (PHI) is the cornerstone of health information privacy in the United States. Understanding what counts as PHI, how it is protected by the HIPAA Privacy Rule, and how de-identification works helps you handle health data responsibly and avoid costly compliance mistakes.

This guide explains PHI in plain language, shows practical examples and exclusions, and clarifies the roles of Covered Entities and Business Associates. You will also find the definitive list of the 18 HIPAA identifiers used to determine whether data is identifiable.

Definition of Protected Health Information

Core definition

PHI is individually identifiable health information that is created or received by a Covered Entity or its Business Associate and relates to an individual’s past, present, or future physical or mental health or condition, the provision of health care, or payment for health care. PHI can exist in any form or medium—electronic (ePHI), paper, or oral.

What “individually identifiable” means

Information is individually identifiable if it directly identifies a person or there is a reasonable basis to believe the person could be identified. Identifiers include obvious items like name or Social Security Number, but they also include less obvious data points such as IP addresses or device serial numbers when linked to health information.

PHI vs. PII

Personally identifiable information (PII) becomes PHI when it is linked to health information and is created, received, maintained, or transmitted by a Covered Entity or Business Associate. A name and email by themselves are PII; the same data connected to a diagnosis, treatment, or insurance claim is PHI.

Forms and Examples of PHI

Forms

• Electronic: EHR entries, patient portals, e-prescribing records, images and DICOM metadata, claims files, audit logs.
• Paper: registration forms, consent forms, printed lab results, discharge summaries, billing statements.
• Oral: spoken information during consultations, voicemails about appointments or test results, recorded calls.

Practical examples

• Medical record numbers linked to lab results or diagnoses.
• Health plan beneficiary numbers tied to claims history.
• Appointment schedules with patient names and dates of service.
• Imaging files and associated identifiers (e.g., device serials, accession numbers).
• Prescription records, allergies, and medication lists identifiable to a person.
• Payment data for health services, including account numbers tied to a patient.
• Telehealth session recordings containing a patient’s face and clinical details.

Exclusions from PHI

• De-identified information: data that no longer identifies an individual under the HIPAA de-identification standards (see below).
• Education records covered by FERPA and treatment records of students held by educational institutions under FERPA.
• Employment records held by a Covered Entity in its role as employer (e.g., sick notes in HR files).
• Information about a decedent after 50 years from the date of death.
• Consumer health data collected by apps, devices, or websites that are not Covered Entities or Business Associates. (Other privacy laws may still apply.)
• Aggregated data with no reasonable basis to identify an individual.

Publicly shared information (e.g., a person’s social media post) is not PHI unless a Covered Entity or Business Associate creates, receives, maintains, or transmits it for a health care purpose.

HIPAA Privacy Rule Overview

Permitted uses and disclosures

The HIPAA Privacy Rule permits use and disclosure of PHI without individual authorization for treatment, payment, and health care operations (TPO), and in specific situations such as certain public health activities, health oversight, and as required by law. Other uses generally require a valid, written authorization.

Minimum necessary standard

When using or disclosing PHI outside of treatment or when requesting PHI, Covered Entities and Business Associates must limit PHI to the minimum necessary to accomplish the intended purpose.

Individual rights

• Right of access to inspect or obtain copies of PHI (including electronic copies of ePHI).
• Right to request amendments to PHI.
• Right to an accounting of certain disclosures.
• Right to request restrictions and to receive confidential communications.
• Right to receive a Notice of Privacy Practices explaining how PHI is used and shared.

De-Identification of PHI

De-Identification reduces re-identification risk so data can be used or disclosed outside HIPAA’s PHI restrictions. HIPAA recognizes two methods:

Safe Harbor method

Under the Safe Harbor method, remove all 18 HIPAA identifiers for the individual and relatives, employers, or household members, and have no actual knowledge that the remaining information could identify the individual. See the list of identifiers below.

Expert Determination method

Under Expert Determination, a qualified expert applies accepted statistical and scientific principles to determine—and document—that the risk of re-identification is very small, considering context, auxiliary data, and controls.

Limited Data Set (LDS)

An LDS removes direct identifiers but may retain certain elements (e.g., dates, city, state, ZIP) under a Data Use Agreement that specifies permitted uses, safeguards, and prohibits re-identification or contact.

Covered Entities and Business Associates

Covered Entities

Covered Entities include health plans, most health care providers that transmit health information electronically in standard transactions, and health care clearinghouses. Hybrid entities may designate health care components subject to HIPAA.

Business Associates

Business Associates are persons or organizations that create, receive, maintain, or transmit PHI for or on behalf of a Covered Entity (or another Business Associate). Examples include cloud service providers storing ePHI, billing companies, EHR vendors, analytics firms, and consultants handling PHI.

BAAs and subcontractors

Covered Entities must have Business Associate Agreements (BAAs) with Business Associates, and Business Associates must have BAAs with their subcontractors who handle PHI. BAAs define permitted uses, safeguards, reporting obligations, and termination terms to protect Health Information Privacy.

The 18 Identifiers under HIPAA

• Names.
• All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes (with limited ZIP code exceptions).
• All elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, death date; and all ages over 89 (and related elements) except when aggregated into a single category of age 90+.
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate/license numbers.
• Vehicle identifiers and serial numbers, including license plate numbers.
• Device identifiers and serial numbers.
• Web Universal Resource Locators (URLs).
• Internet Protocol (IP) address numbers.
• Biometric identifiers, including finger and voice prints.
• Full-face photographic images and any comparable images.
• Any other unique identifying number, characteristic, or code.

Key takeaways

• PHI is individually identifiable health information linked to care or payment and held by Covered Entities or Business Associates.
• De-Identification via Safe Harbor or Expert Determination enables use of data with greatly reduced privacy risk.
• Know the 18 HIPAA identifiers and apply the minimum necessary standard to strengthen compliance and protect individuals’ privacy.

FAQs

What information qualifies as PHI?

PHI is Individually Identifiable Health Information about health status, care, or payment that is created or received by a Covered Entity or Business Associate and can identify a person. It spans electronic, paper, and oral forms and includes any of the 18 HIPAA Identifiers when linked to health information.

How does HIPAA protect PHI?

The HIPAA Privacy Rule sets rules for how PHI may be used and disclosed, requires the minimum necessary principle, and grants individuals rights such as access and amendment. Covered Entities and Business Associates must implement administrative, physical, and technical safeguards and execute BAAs to maintain Health Information Privacy.

What entities are covered under HIPAA?

HIPAA applies to health plans, most health care providers that conduct standard electronic transactions, and health care clearinghouses (Covered Entities), as well as their Business Associates and applicable subcontractors that create, receive, maintain, or transmit PHI.

How is PHI de-identified?

De-Identification can be achieved by removing all 18 HIPAA Identifiers under the Safe Harbor method and ensuring no reasonable basis exists to identify an individual, or by obtaining an Expert Determination that the risk of re-identification is very small given the data and context. A Limited Data Set may be used under a Data Use Agreement when some elements like dates are necessary.