What Medical Information Does HIPAA Protect? PHI and ePHI Explained

Definition of Protected Health Information

Protected Health Information is any Individually Identifiable Health Information created, received, maintained, or transmitted by a covered entity or its business associate that relates to an individual’s past, present, or future physical or mental health or condition, the provision of health care, or payment for health care. If the information can identify you—or reasonably be used to identify you—it is PHI.

What counts as PHI

PHI spans clinical details (diagnoses, lab results, imaging, care plans), administrative and billing data (claims, invoices), and communications about your care (messages, discharge summaries). The HIPAA Privacy Rule protects this information whether it is on paper, spoken, or stored electronically.

What is not PHI

• De-identified data that meets HIPAA’s Safe Harbor or Expert Determination standards.
• Education records covered by FERPA and employment records held by a covered entity in its role as employer.
• Health information of individuals deceased for more than 50 years.

ePHI at a glance

Electronic Protected Health Information is PHI in electronic form—such as EHR entries, patient portal data, emails, texts, images, or telemetry. ePHI triggers the HIPAA Security Rule, which adds specific administrative, physical, and technical safeguards.

Categories of Identifiable Data

HIPAA lists 18 identifiers. When any of these appear with health data, the data is generally PHI.

• Names.
• Geographic subdivisions smaller than a state (street address, city, county, ZIP code; three-digit ZIPs are allowed only when the population rule is met).
• All elements of dates (except year) directly related to an individual (for example, birth, admission, discharge, death); ages 90 and older must be aggregated as “90+.”
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health Plan Beneficiary Numbers.
• Account numbers.
• Certificate or license numbers.
• Vehicle identifiers and license plate numbers.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric Identifiers (for example, fingerprints or voiceprints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code.

Forms of PHI Protection

Paper and verbal PHI

Medical charts, printed reports, mailed statements, and spoken exchanges are protected. Reasonable safeguards include private conversations, clean-desk practices, caller verification, secure printing, and proper shredding or destruction.

Electronic Protected Health Information

For ePHI, the HIPAA Security Rule requires a risk-based program that includes access controls, audit logging, integrity protections, transmission security, and contingency planning. Encryption is a strongly recommended safeguard for data at rest and in transit.

De-identification and limited data sets

De-identified data falls outside HIPAA. Limited data sets remove direct identifiers but may retain some dates and geography; they can be shared for research, public health, or operations with a Data Use Agreement.

Minimum necessary standard

Except for treatment and certain other circumstances, covered entities must limit uses, disclosures, and requests to the minimum necessary information needed to accomplish the purpose.

HIPAA Privacy Rule Overview

The HIPAA Privacy Rule sets when PHI may be used or disclosed, establishes individual rights, and requires transparency through a Notice of Privacy Practices. It applies to all forms of PHI and governs routine workflows and exceptional cases alike.

Permitted uses and disclosures

• Treatment, payment, and health care operations without patient authorization.
• Specific purposes such as public health reporting, health oversight, certain law enforcement and judicial processes, organ donation, and serious threat mitigation, as permitted by law.
• Other uses and disclosures only with a valid, written authorization.

Individual rights

• Access and obtain copies of PHI, including electronic copies when available.
• Request amendments, receive an accounting of certain disclosures, and request restrictions or confidential communications.
• Receive a Notice of Privacy Practices explaining how PHI is handled.

Special topics

• Psychotherapy notes receive heightened protection.
• Marketing, sale of PHI, and many fundraising communications require authorization or offer opt-out rights.

Covered Entities and Responsibilities

Covered Entities include health plans, health care clearinghouses, and health care providers who transmit health information electronically in standard transactions. They must operationalize the HIPAA Privacy Rule and ensure downstream protection.

Core responsibilities

• Designate privacy and security officials, conduct risk analyses, and adopt policies and procedures.
• Train the workforce, apply sanctions for violations, and document compliance activities.
• Honor patient rights requests and apply the minimum necessary standard.
• Execute Business Associate Agreements for vendors handling PHI and oversee their compliance.
• Provide breach notification to affected individuals and required authorities when applicable.

Safeguards for PHI Security

Administrative safeguards

• Risk analysis and risk management, security management processes, and workforce training.
• Role-based access, workforce clearances, and sanction policies.
• Contingency planning, including data backup, disaster recovery, and emergency access procedures.
• Vendor and device lifecycle management, including Business Associate oversight.

Physical safeguards

• Facility access controls, visitor management, and secure areas for records and servers.
• Workstation security, cable locks, privacy screens, and secure storage.
• Device and media controls: inventory, reuse procedures, and secure disposal or destruction.

Technical safeguards

• Unique user IDs, strong authentication, and role-based authorization (preferably with multi-factor authentication).
• Encryption in transit and at rest, integrity checks, and automatic logoff.
• Audit controls, security monitoring, and timely patching and configuration management.

Limitations and Exceptions to PHI Use

HIPAA balances privacy with care delivery and societal needs. Some disclosures are permitted or required by law without authorization, while others demand explicit consent.

Disclosures without authorization

• Treatment, payment, and operations.
• Public health activities, health oversight, and certain research with an IRB/Privacy Board waiver or a limited data set with a Data Use Agreement.
• Judicial and law enforcement purposes under defined conditions.
• Organ and tissue donation, decedent affairs, and averting serious threats to health or safety.
• Workers’ compensation and other specialized government functions as permitted by law.

When authorization is required

• Most marketing communications and any sale of PHI.
• Use and disclosure of psychotherapy notes (with narrow exceptions).
• Research uses that do not qualify for a waiver or limited data set approach.

Minimum necessary and incidental disclosures

Outside of treatment and certain other exceptions, limit PHI to the minimum necessary for the task. Incidental disclosures may occur despite safeguards, but only if reasonable precautions are in place.

De-identified information

Data that has been de-identified under HIPAA is not PHI and may be used or shared without HIPAA restrictions. Limited data sets remain regulated and require Data Use Agreements.

Conclusion

In short, if information is Individually Identifiable Health Information about your health, care, or payment—and includes any of HIPAA’s 18 identifiers—it is Protected Health Information. ePHI adds Security Rule requirements. Covered Entities must apply the HIPAA Privacy Rule, implement robust safeguards, and disclose PHI only as permitted or authorized.

FAQs.

What types of medical information are protected by HIPAA?

HIPAA protects PHI, which includes any Individually Identifiable Health Information about your past, present, or future health status, the care you receive, or payment for that care. Examples include diagnoses, test results, prescriptions, claims, appointment records, and communications with providers when paired with identifiers such as names, addresses, Health Plan Beneficiary Numbers, or other unique identifiers.

How does HIPAA define electronic PHI?

Electronic PHI (ePHI) is PHI that is created, received, maintained, or transmitted in electronic form—such as data in EHR systems, patient portals, emails, texts, medical images, cloud storage, or device-generated readings. ePHI is subject to the HIPAA Security Rule’s administrative, physical, and technical safeguards.

Who must comply with HIPAA Privacy Rule?

Covered Entities—health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions—must comply. Business associates that handle PHI for Covered Entities must also protect PHI under contractual and regulatory obligations.

What are the safeguards required for protecting PHI?

Safeguards fall into three groups: administrative (risk analysis, policies, training, incident response), physical (facility and workstation security, device/media controls), and technical (access controls, unique user IDs, audit logs, encryption, integrity and transmission protections). Applying the minimum necessary standard and strong vendor management further reduces risk.