What PHI Is Protected by HIPAA? Definition, 18 Identifiers, and Examples

Definition of PHI

Protected Health Information (PHI) is Individually Identifiable Health Information created, received, maintained, or transmitted by Covered Entities or their Business Associates that relates to a person’s past, present, or future physical or mental health, healthcare, or payment for care.

Information becomes PHI when it can identify an individual and is tied to health-related context. If the same data is fully de-identified under HIPAA De-identification Standards, it is no longer PHI.

Designated Record Set

The Designated Record Set is the group of records a covered entity uses to make decisions about individuals (for example, medical records, billing records, enrollment, and case management files). A person’s right of access under the HIPAA Privacy Rule applies to this set.

When information is not PHI

• De-identified data (via Safe Harbor or Expert Determination).
• Employment records held by an employer in its role as employer.
• Education records covered by FERPA.
• Consumer health data held solely by non–covered apps or devices, unless created or received on behalf of a covered entity.

Overview of HIPAA Protection

The HIPAA Privacy Rule governs how PHI may be used and disclosed by Covered Entities (health plans, healthcare clearinghouses, and certain providers) and their Business Associates. It requires the “minimum necessary” standard and grants individuals rights to access, amend, and receive an accounting of disclosures.

The HIPAA Security Rule requires administrative, physical, and technical safeguards for electronic PHI (ePHI). The Breach Notification Rule mandates assessing potential compromises and notifying affected individuals, regulators, and, when applicable, the media.

Together, these rules set baseline privacy controls, define permitted uses and disclosures (treatment, payment, healthcare operations), and require ongoing Risk Assessment, workforce training, and documentation.

The 18 HIPAA Identifiers

HIPAA’s Safe Harbor method removes the following identifiers to de-identify data. If any remain (and data could identify a person), the information is PHI.

1. Names.
2. Geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code, and equivalent geocodes).
3. All elements of dates (except year) directly related to an individual, and all ages over 89 (aggregated to 90+).
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plates.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP address numbers.
16. Biometric identifiers, including finger and voice prints.
17. Full-face photographs and comparable images.
18. Any other unique identifying number, characteristic, or code (except permitted re-identification codes).

Examples of PHI in Practice

• A patient’s EHR note linking symptoms with name and date of birth.
• Insurance claim including diagnosis codes, member ID, and ZIP code.
• Patient portal message containing an IP address, appointment date, and lab results.
• e-Prescription data tied to a medical record number and pharmacy profile.
• Radiology image that includes facial features or embedded device serial numbers.
• Call center recording capturing a patient’s name, policy number, and treatment details.
• Wearable data transmitted to a provider’s system and associated with a patient account.
• Research limited data set (dates and city/ZIP allowed) shared under a Data Use Agreement.

Edge cases

• De-identified datasets (Safe Harbor or Expert Determination) are not PHI.
• Limited data sets exclude direct identifiers but remain PHI and require a Data Use Agreement.
• Consumer health app data is PHI only when a covered entity or its Business Associate creates, receives, or maintains it.

Compliance Requirements for PHI

Program governance

• Appoint a privacy and security lead; establish policies for the HIPAA Privacy Rule and Security Rule.
• Define the Designated Record Set to operationalize right-of-access, amendments, and disclosures.

Risk Assessment and safeguards

• Perform an enterprise-wide Risk Assessment for ePHI; remediate identified risks and track milestones.
• Apply administrative, physical, and technical safeguards aligned to risk and system criticality.

Workforce and access

• Train workforce on minimum necessary, acceptable use, and incident reporting.
• Enforce role-based access, strong authentication, and timely termination of accounts.

Third parties and data sharing

• Execute Business Associate Agreements before sharing PHI for services.
• Use De-identification Standards where possible; for limited data sets, execute Data Use Agreements.

Operations and accountability

• Maintain audit logs, change management, and secure configuration baselines.
• Implement breach response, sanctions, contingency planning, and data retention/disposal controls.

Risks of PHI Disclosure

• Phishing, credential theft, and ransomware leading to unauthorized access or exfiltration.
• Misdirected emails/faxes, improper mailing, or wrong-patient disclosures.
• Misconfigured cloud storage, weak access controls, or overbroad vendor integrations.
• Use of tracking technologies on patient portals that capture identifiers with health context.
• Re-identification of insufficiently de-identified datasets via data linkage.
• Lost or stolen devices lacking encryption, and insecure home/remote work environments.

Methods to Secure PHI

Administrative safeguards

• Conduct periodic Risk Assessments and update risk management plans.
• Apply the minimum necessary standard through policies, workflows, and approvals.
• Train staff regularly and test incident response with tabletop exercises.

Technical safeguards

• Encrypt ePHI in transit and at rest; enable MFA and least-privilege, role-based access.
• Harden endpoints and servers, patch promptly, and segment networks housing PHI.
• Monitor with SIEM, alert on anomalies, and review access logs routinely.
• Use DLP, secure messaging, and vetted APIs; tokenization or pseudonymization where feasible.

Physical safeguards

• Control facility access, secure workstations, and lock file storage.
• Protect and track portable media; sanitize or destroy media before disposal.

Data governance and sharing

• Prefer de-identified data; when sharing a limited data set, require a Data Use Agreement.
• Define the Designated Record Set and retention schedules; verify downstream partner safeguards.

Conclusion

PHI protected by HIPAA is any individually identifiable health information held by covered entities or their business associates. By understanding the 18 identifiers, applying de-identification where appropriate, and implementing risk-based safeguards, you can reduce disclosure risk while honoring patient rights under the HIPAA Privacy Rule.

FAQs

What information qualifies as PHI under HIPAA?

PHI is individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate that relates to health, care delivered, or payment. If an individual can be identified (directly or indirectly) and the information is tied to health context, it is PHI.

How are the 18 identifiers used to define PHI?

The 18 identifiers are the direct and quasi-identifiers that must be removed under HIPAA’s Safe Harbor method to de-identify data. If any remain and the data can identify a person, the information is treated as PHI and is subject to HIPAA protections.

What protections does HIPAA provide for PHI?

HIPAA establishes privacy rules for permitted uses and disclosures, grants patient rights (access, amendment, accounting), and requires administrative, physical, and technical safeguards for ePHI. It also mandates breach risk assessment and notification when PHI may be compromised.

How can PHI be safely disclosed?

Disclose PHI only as permitted by the Privacy Rule, applying minimum necessary. Use de-identified data whenever possible; for limited data sets, execute a Data Use Agreement. Encrypt transmissions, verify recipient identity and authority, and log disclosures for accountability.