What Medical Records Are Protected by HIPAA? PHI Examples, Exceptions, and Access Rules

Definition of Protected Health Information

Under HIPAA, Protected Health Information (PHI) is Individually Identifiable Health Information that relates to a person’s past, present, or future physical or mental health, the provision of care, or payment for care. It must identify the individual or reasonably allow identification and be created or received by a Covered Entity or its Business Associate. PHI can exist in any form—paper, oral, or electronic (ePHI).

What counts as PHI

• Information that ties health details to an identifiable person, directly or by reasonable inference.
• Data maintained in a Designated Record Set (e.g., medical and billing records used to make decisions about you).
• ePHI stored in EHR systems, patient portals, backups, emails, texts, images, and audio recordings maintained by a Covered Entity.

Where HIPAA applies

• Covered Entity: health plans, most healthcare providers that transact electronically, and healthcare clearinghouses.
• Business Associates: vendors that create, receive, maintain, or transmit PHI for Covered Entities (e.g., billing, cloud hosting, transcription).

Examples of Protected Health Information

These examples illustrate how widely PHI can appear in medical records and related files:

The 18 HIPAA identifiers

• Names
• Geographic subdivisions smaller than a state (e.g., street address, city, ZIP code)
• All elements of dates (except year) related to an individual (e.g., birthdate, admission, discharge, death)
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers (including license plates)
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (including fingerprints and voiceprints)
• Full-face photos and comparable images
• Any other unique identifying number, characteristic, or code

Common record types that are PHI

• Progress notes, histories, physicals, care plans, and discharge summaries.
• Lab results, imaging studies, pathology reports, and diagnostic data.
• Medication lists, e-prescriptions, and pharmacy refill data.
• Claims, explanations of benefits, payment records, and utilization review files.
• Appointment schedules, referral records, and patient portal messages.
• Data from wearables or remote monitoring when maintained by a Covered Entity or Business Associate.

Special sensitivity: Psychotherapy Notes

Psychotherapy Notes (a mental health professional’s separate, personal notes of counseling sessions) are PHI but receive heightened protection. They are not part of the standard Designated Record Set and typically require Authorization for Disclosure for most uses and disclosures beyond treatment by the originator.

Exceptions to Protected Health Information under HIPAA

Some information is not PHI, or is treated differently, even if it concerns health:

• De-identified information: data stripped of identifiers under Safe Harbor or determined by an expert to carry very small re-identification risk.
• Limited Data Set: a form of PHI with certain identifiers removed; usable for research, public health, and operations under a Data Use Agreement.
• Employment records held by a Covered Entity in its role as employer (e.g., FMLA files, pre-employment physical results kept by HR).
• Education records and treatment records subject to FERPA; these are outside HIPAA.
• Health information held by entities that are not Covered Entities or Business Associates (e.g., certain life insurers or consumer apps not providing services to a Covered Entity).
• Information about a person deceased for more than 50 years.

Permitted Uses and Disclosures of PHI

HIPAA permits disclosure without Authorization for core activities and specific public interests, subject to the minimum necessary rule (which does not apply to treatment):

Treatment, Payment, and Health Care Operations (TPO)

• Treatment: coordination and management of care among providers.
• Payment: billing, eligibility, and reimbursement activities.
• Operations: quality assessment, audits, training, accreditation, and risk management.

Public interest and benefit activities

• Public Health Disclosures: disease reporting, adverse event reporting, and FDA-related safety purposes.
• Health Oversight Activities: audits, investigations, inspections, and licensure actions.
• Judicial/administrative proceedings, law enforcement, and to avert a serious threat to health or safety.
• Research with IRB/Privacy Board waiver or as a Limited Data Set with a Data Use Agreement.
• Organ and tissue donation, medical examiner/coroner purposes, and specialized government functions.
• Workers’ compensation as authorized by law.

When Authorization for Disclosure is required

• Marketing communications (with narrow exceptions), most sales of PHI, and many non-TPO uses.
• Most uses or disclosures of Psychotherapy Notes (beyond treatment by the originator).

Patient Rights Regarding Medical Records

Right of access and copies

You may inspect or obtain a copy of your PHI in the Designated Record Set, including an electronic copy of ePHI when it is maintained electronically. Providers generally must respond within 30 days (one 30-day extension allowed) and may charge a reasonable, cost-based fee for copying, supplies, and postage—not a general retrieval fee. You can direct records to a third party of your choosing.

Form, format, and secure transmission

Access should be provided in the form and format you request if readily producible (e.g., PDF, portal download, secure email). Reasonable identity verification is allowed, but processes must not create barriers to timely access.

Right to request amendment

If you believe information is incorrect or incomplete, you can request an amendment. The provider must act within 60 days (one 30-day extension permitted). If denied, you may submit a statement of disagreement to be included with future disclosures.

Right to an accounting of disclosures

You can request an accounting of certain disclosures (generally excluding TPO) for the previous six years. This helps you see non-routine sharing of your PHI.

Right to request restrictions and confidential communications

• You may request restrictions on certain uses or disclosures; providers are not required to agree except in limited cases, such as when you pay out of pocket in full and request that information not be shared with your health plan for that service.
• You may request communications by alternative means or at alternative locations to protect privacy.

Access exceptions

Two key exceptions to access are Psychotherapy Notes and information compiled in reasonable anticipation of, or for use in, a legal proceeding. Other narrow clinical exceptions may apply when releasing records would likely endanger life or physical safety, subject to review.

Exceptions to Breach Notification Rules

HIPAA’s Breach Notification Requirements apply to breaches of unsecured PHI. If PHI is properly secured (e.g., encrypted to a recognized standard), notification is generally not required. When notification does apply, Covered Entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery, following a risk assessment that considers the nature of PHI, who received it, whether it was actually viewed, and mitigation steps.

Three narrow exceptions

• Unintentional acquisition, access, or use by a workforce member acting in good faith and within scope of authority.
• Inadvertent disclosure from one authorized person to another within the same Covered Entity (or Business Associate) where both are authorized to access the PHI.
• Good-faith belief the unauthorized recipient could not reasonably have retained the information (e.g., returned unopened mail, unreadable files).

Practical implications

• Not every privacy incident is a reportable breach; if a low probability of compromise is demonstrated or an exception applies, notification is not required.
• If an Authorization for Disclosure existed for the sharing in question, that disclosure is not a breach.

Summary

HIPAA protects medical records by regulating how Covered Entities and Business Associates handle PHI, defining clear examples, carving out limited exceptions, and setting access and breach notification rules. You have strong rights to obtain, control, and correct your records, while specific public health and oversight needs allow limited sharing without Authorization for Disclosure.

FAQs.

What types of medical records are protected by HIPAA?

Any record that contains Individually Identifiable Health Information created or received by a Covered Entity or Business Associate is protected—clinical notes, labs, images, billing files, claims, appointment data, messages, and ePHI in EHRs and portals. If the data can identify you and relates to care or payment, it is PHI.

What are the exceptions to PHI protection under HIPAA?

De-identified information, Limited Data Sets used under a Data Use Agreement, employment records held by a Covered Entity as an employer, FERPA education and treatment records, health data held solely by non-covered entities, and information about individuals deceased for more than 50 years are not treated as PHI in the same way.

How can patients access their protected health information?

Submit a request to the provider or health plan. You can receive copies in the form and format you request if readily producible, including electronic copies of ePHI. Providers generally must respond within 30 days and may charge only a reasonable, cost-based fee. You may also direct your PHI to a third party.

When is breach notification not required under HIPAA?

Notification is not required when the incident involves secured (properly encrypted) PHI, when a risk assessment shows a low probability of compromise, or when one of the three exceptions applies: good-faith, within-scope access; inadvertent internal disclosure; or a good-faith belief the recipient could not retain the information.