What Medical Information Does HIPAA Protect? PHI, Identifiers, and What’s Not Covered

Definition of Protected Health Information

Under HIPAA, Protected Health Information (PHI) is any individually identifiable health information that a covered entity or its business associate creates, receives, maintains, or transmits. It relates to a person’s past, present, or future physical or mental health condition, the provision of health care, or payment for care.

PHI combines two elements: health information and identifiers that can reasonably link the data to an individual. When both are present, HIPAA’s health information privacy requirements apply regardless of format—paper, spoken, or electronic (ePHI).

Who counts as a covered entity?

Covered Entities include health plans, health care clearinghouses, and most health care providers who conduct standard electronic transactions. Business associates—service providers that handle PHI on behalf of covered entities—must also meet privacy and security obligations through written agreements.

When information is not PHI

Health information that cannot be tied to an individual (for example, properly de-identified data) is not PHI. Likewise, data that lacks a health context, even if identifiable, falls outside HIPAA. The boundary is the combination of identifiable elements with health-related content, under the control of covered entities or their business associates.

The 18 HIPAA Identifiers

These HIPAA identifiers, when linked to health data, make the information PHI. Removing them under the Safe Harbor method is one path to de-identified data.

1. Names.
2. All geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code). Limited 3‑digit ZIP codes may be retained only when the combined area has more than 20,000 people; otherwise, use 000.
3. All elements of dates (except year) directly related to an individual, including birth, admission, discharge, and death dates; ages over 89 must be aggregated to “90 or older.”
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate and license numbers.
12. Vehicle identifiers and serial numbers, including license plates.
13. Device identifiers and serial numbers.
14. Web URLs.
15. Internet Protocol (IP) addresses.
16. Biometric identifiers (for example, fingerprints, retina/iris scans, voiceprints).
17. Full-face photographs and comparable images.
18. Any other unique identifying number, characteristic, or code, including unique identifying codes used for re-identification, unless permitted and kept separate.

Special notes on dates and locations

Exact dates (day and month) and small-area locations can reveal identity when combined with clinical details. HIPAA treats these as high risk; keep only what is necessary for the intended use.

Types of Health Information Covered

PHI spans clinical, administrative, and financial data. Examples include medical histories, diagnoses, test results, imaging, prescriptions, treatment plans, and clinician notes. It also includes claims, billing data, prior authorizations, and benefit information tied to an individual.

Sensitive categories—behavioral health, substance use disorder information (subject to additional rules), genetic data, reproductive health details, and biometric measurements—are PHI when associated with HIPAA identifiers. PHI covers written records, conversations, images, and ePHI in electronic health records and patient portals.

Exclusions from PHI

Some identifiable information falls outside HIPAA’s definition of PHI:

• Education records and certain student health records protected by FERPA.
• Employment records held by a covered entity in its role as employer (for example, HR files), even if they contain health information.
• De-identified data that meet HIPAA’s de-identification standards.
• Health information of a person deceased for 50 years or more.
• Data collected by consumer apps, wearables, or websites when they do not operate on behalf of a covered entity or its business associate; such data may be governed by other federal or state laws.
• Aggregated statistics that cannot be used to identify an individual.

De-Identification and Anonymization

HIPAA recognizes two paths to create de-identified data (often called anonymized data in practice). Once de-identified, the data is no longer PHI and is not subject to HIPAA’s privacy rules.

1) Safe Harbor

Remove the 18 HIPAA Identifiers and ensure there is no actual knowledge that the remaining information could identify an individual. Be especially careful with rare conditions, small populations, or unusual combinations that could re-identify someone.

2) Expert Determination

A qualified expert uses statistical or scientific methods to determine that the risk of re-identification is very small, and documents the analysis, methods, and results. This approach can retain more utility than Safe Harbor when justified by the risk assessment.

Limited Data Sets

A limited data set is not fully de-identified and remains PHI. It may include dates and some geographic information (city, state, ZIP code) but must be governed by a data use agreement specifying permitted uses, disclosures, and safeguards.

Unique identifying codes for re-identification

Covered entities may assign a unique identifying code to link de-identified records back to individuals when necessary. The code cannot be derived from personal information, and the key must be kept separately with strict controls to preserve health information privacy.

Compliance Requirements for Covered Entities

Covered entities and business associates must implement privacy and security programs proportionate to their risks. Core obligations include policies, training, technical safeguards, and documented governance.

Permitted uses and disclosures

• Treatment, payment, and health care operations are allowed without patient authorization.
• Other disclosures may be permitted or required (for example, certain public health activities or as required by law) but must follow the minimum necessary standard when applicable.
• Marketing, sale of PHI, most research uses, and many non-routine disclosures require explicit patient authorization. Maintain records to demonstrate authorization requirements were met.

Privacy Rule program elements

• Issue and honor a Notice of Privacy Practices.
• Apply role-based access and the minimum necessary rule.
• Execute business associate agreements before sharing PHI with vendors.
• Support individual rights: access, amendments, accounting of disclosures, restrictions, and confidential communications.

Security Rule safeguards for ePHI

• Administrative: risk analysis, risk management, workforce training, sanctions, and contingency planning.
• Physical: facility access controls, device/media protections, and secure disposal.
• Technical: access controls, unique user IDs, audit logs, integrity controls, transmission security (for example, encryption in transit), and ongoing monitoring.

Breach notification

If unsecured PHI is compromised, promptly assess the risk and provide required notifications to affected individuals and, when applicable, regulators and the media. Document decisions and mitigation steps.

Implications for Employers and Educators

Employers

HIPAA generally does not apply to an employer’s HR records. However, an employer’s group health plan is a covered entity. You must segregate plan PHI from employment records, restrict access to only those performing plan administration, and avoid commingling PHI with HR files unless you have valid authorization or a specific legal basis.

If you receive PHI from a health plan or provider, verify the legal basis (for example, participant authorization or a permitted disclosure) and apply minimum necessary. Other laws—such as disability, genetic, and state privacy laws—may also regulate employee health information.

Educators

Most student records, including school health records maintained by educational institutions, are governed by FERPA, not HIPAA. Schools that operate clinics or provide health services that bill electronically may act as covered entities for those specific operations, requiring HIPAA compliance for clinic records while FERPA continues to apply to education records.

Summary and key takeaways

• PHI is identifiable health information handled by covered entities or their business associates.
• HIPAA Identifiers (18 categories) are the anchor for determining identifiability.
• De-Identified Data created by Safe Harbor or Expert Determination is outside HIPAA.
• Employment and education records often fall under other laws, not HIPAA.
• Strong governance, security safeguards, and clear authorization requirements reduce risk and protect health information privacy.

FAQs.

What types of health information are protected under HIPAA?

Any identifiable information about an individual’s health status, care, or payment for care that is created, received, maintained, or transmitted by a covered entity or its business associate is PHI. This includes clinical data (diagnoses, labs, images, prescriptions), administrative and financial records (claims, billing), and ePHI in electronic systems, when linked to HIPAA identifiers.

What are the 18 identifiers that constitute PHI?

They are names; small-area geographic data; all elements of dates (except year) and ages over 89; phone and fax numbers; email; Social Security numbers; medical record, health plan, and account numbers; certificate/license numbers; vehicle, device, URL, and IP identifiers; biometric identifiers; full-face photos; and any other unique identifying numbers, characteristics, or codes.

How is de-identified information treated under HIPAA?

Once data is de-identified using Safe Harbor (removal of all 18 identifiers with no actual knowledge of identifiability) or Expert Determination (documented statistical assurance of very small re-identification risk), it is no longer PHI and HIPAA no longer applies. Limited data sets are still PHI and require a data use agreement.

Are employment and education records protected by HIPAA?

Generally, no. Employment records held in an employer’s role as employer are not PHI, and student education records covered by FERPA are excluded from HIPAA. However, a group health plan sponsored by an employer is a covered entity, and school-operated clinics that bill electronically must comply with HIPAA for their clinic records.