What Records Does HIPAA Protect? From Medical Charts to Claims Files—Across Paper, Digital, and Verbal Formats

Definition of Protected Health Information

Under the Health Insurance Portability and Accountability Act, Protected Health Information (PHI) is Individually Identifiable Health Information about a person’s past, present, or future health, the care they receive, or the payment for that care. It protects data that identifies the individual, or could reasonably be used to identify them, in any form or medium.

The HIPAA Privacy Rule applies to Covered Entities—healthcare providers that transmit claims electronically, health plans, and healthcare clearinghouses—and to their business associates. PHI includes information these organizations create, receive, maintain, or transmit, whether stored on paper, in Electronic Health Records, spoken aloud, or exchanged through billing systems.

Forms of PHI

Paper records

PHI on paper includes medical charts, registration forms, lab printouts, referrals, prescriptions, and mailed Explanation of Benefits (EOBs). Whiteboards, sign-in sheets, and printed schedules can also be PHI when they display patient identifiers or treatment details.

Electronic records

Electronic PHI (ePHI) spans Electronic Health Records, imaging systems, e-prescribing, patient portals, secure messaging, backups, logs, and metadata tied to an individual. Claims data files and clearinghouse transactions are ePHI when linked to a person.

Verbal communications

Spoken information is PHI when it identifies a patient and relates to care or payment. Hallway consults, shift handoffs, phone calls, voicemails, and telehealth conversations all require the same privacy safeguards as written or digital records.

Examples of PHI

Clinical and demographic data

• Names, addresses, dates of birth, and other contact details linked to care.
• Medical record numbers, account numbers, health plan beneficiary numbers, and device IDs.
• Diagnoses, lab results, imaging, operative notes, medications, allergies, and care plans.

Digital identifiers and media

• Email addresses, IP addresses, and URLs when tied to a patient’s record or portal account.
• Biometric identifiers, full-face photographs, and comparable images used in care.
• Wearable or remote monitoring data when a Covered Entity or its business associate manages it.

Healthcare payment data

• Claims files (for example, CMS-1500/UB-04 data, X12 837/835), remittance advice, and EOBs linked to an individual.
• Prior authorization requests, utilization review notes, and payment appeals containing identifiers.
• Billing codes (ICD, CPT, HCPCS) when associated with a specific person.

Exclusions from PHI

De-identified data—information stripped of identifiers under HIPAA’s expert determination or safe harbor methods—is not PHI. Aggregate statistics that cannot identify an individual are likewise outside HIPAA’s scope.

Education records covered by FERPA and employment records held by an employer in its role as employer are excluded. Information about a person deceased for more than 50 years is not PHI. Consumer health data held solely by non-HIPAA entities (for example, an app not acting for a Covered Entity) is not PHI, though other laws may apply. Note: a Limited Data Set remains PHI and requires a data use agreement.

HIPAA Compliance Requirements

Core privacy standards

• Use and disclose only for treatment, payment, and healthcare operations, or with a valid authorization or another permitted basis.
• Apply the minimum necessary standard to routine uses and disclosures for payment and operations.
• Provide a Notice of Privacy Practices and honor individual rights to access and request amendments and an accounting of disclosures.

Security safeguards for ePHI

• Administrative: risk analysis, risk management, workforce training, contingency planning, and vendor oversight.
• Physical: facility access controls, workstation security, device/media controls, and secure disposal.
• Technical: unique user IDs, role-based access, encryption, audit logs, integrity controls, and transmission security.

Documentation, vendors, and incidents

• Maintain written policies and procedures and retain required documentation for the mandated period.
• Execute business associate agreements before sharing PHI with vendors.
• Detect, assess, and report breaches in accordance with the Breach Notification Rule, and apply sanctions for violations.

Handling Verbal and Electronic PHI

Verbal PHI

• Hold conversations in private areas when possible; speak quietly and avoid using full names in public spaces.
• Verify identity before discussing PHI by phone; disclose only the minimum necessary.
• Limit voicemail content to non-sensitive details and provide a call-back number rather than full clinical information.

Electronic PHI

• Use encrypted email, secure messaging, and secure file transfer for PHI; verify recipients and disable auto-forwarding.
• Enable multi-factor authentication, automatic logoff, and device encryption; patch systems promptly.
• Monitor access with audit logs; review unusual activity; restrict downloads and printing where feasible.
• Protect telehealth sessions with unique meeting IDs, waiting rooms, and privacy screens to prevent shoulder-surfing.

Safeguarding Claims Files

What claims files contain

Claims repositories hold rich Healthcare Payment Data: member identifiers, subscriber and dependent details, service dates, provider NPI, diagnoses and procedure codes, adjudication notes, remittance information, and appeals. Because these data elements directly tie services to individuals, they are PHI.

Controls to implement

• Apply strict role-based access and segregation of duties for adjudication, analytics, and customer service teams.
• Encrypt files at rest and in transit; use secure EDI channels and approved attachment workflows.
• Mask or tokenize identifiers in lower-trust environments; use de-identified or Limited Data Sets for research and training.
• Institute retention schedules aligned with legal, contractual, and business needs; dispose using secure shredding or media destruction.
• Audit disclosures to brokers, TPAs, and law firms; confirm minimum necessary and document legal bases.

Sharing and special situations

• When responding to subpoenas, court orders, or audits, validate authority, scope, and timeframe before producing records.
• For member inquiries, verify identity, document the request, and provide only what is necessary to resolve the issue.
• For vendor onboarding, complete due diligence, execute business associate agreements, and test data flows before go-live.

Conclusion

HIPAA protects any Individually Identifiable Health Information about care or payment that a Covered Entity or its business associate handles—regardless of whether it is on paper, digital, or spoken aloud. By applying the HIPAA Privacy Rule’s minimum necessary standard and implementing robust administrative, physical, and technical controls, you can safeguard medical records and claims files while enabling secure, efficient healthcare operations.

FAQs.

What types of records are protected by HIPAA?

HIPAA protects any record that contains Protected Health Information created, received, maintained, or transmitted by a Covered Entity or its business associate. That includes paper charts, Electronic Health Records, images, lab results, billing and claims files, remittances, EOBs, and verbal communications tied to an identifiable person.

How does HIPAA define Protected Health Information?

PHI is Individually Identifiable Health Information related to a person’s health, care, or payment that can identify the individual and is handled by a Covered Entity or business associate. It spans all formats—paper, digital, and verbal—and is governed primarily by the HIPAA Privacy Rule.

Are verbal communications covered under HIPAA?

Yes. Conversations, handoffs, phone calls, and voicemails are PHI when they identify a patient and relate to care or payment. You must use reasonable safeguards, such as verifying identity, speaking discreetly, and limiting disclosures to the minimum necessary.

What records are excluded from HIPAA protection?

De-identified data, education records under FERPA, and employment records held by an employer are not PHI. Information about individuals deceased for more than 50 years and consumer health data maintained solely by non-HIPAA entities (not acting as business associates) are also outside HIPAA, though other laws may still apply.