What Records Does HIPAA Protect? PHI Examples and What's Not Covered

Definition of Protected Health Information

Protected Health Information (PHI) is Individually Identifiable Health Information created, received, maintained, or transmitted by Covered Entities or their Business Associates. It relates to an individual’s past, present, or future physical or mental health, the provision of care, or payment for care, and either identifies the person or reasonably could be used to identify them.

What makes information “individually identifiable”

Identifiers that link data to a person include names; geographic details smaller than a state; elements of dates (except year) for events like birth, admission, discharge, or death; ages over 89; phone and fax numbers; email addresses; Social Security and medical record numbers; health plan beneficiary and account numbers; certificate or license numbers; vehicle and device identifiers; URLs and IP addresses; biometric identifiers (e.g., fingerprints, voiceprints); full-face images; and any other unique code or characteristic.

PHI can exist in any medium—paper, verbal, or electronic—and the HIPAA Health Information Privacy Rules govern its use and disclosure across all forms.

Common Examples of PHI

Clinical and administrative records

• Electronic health records, problem lists, care plans, progress notes, and discharge summaries tied to a patient.
• Lab results, imaging reports, and pathology findings labeled with patient identifiers.
• Prescriptions, medication histories, and immunization records associated with a person.
• Billing statements, claims data, and payment histories connected to an identifiable individual.

Digital communications and logs

• Patient portal messages, secure emails, and text reminders that reference a diagnosis, treatment, or appointment for a specific person.
• Telehealth session metadata, recordings, or chat transcripts linked to a patient.
• Device serials or app IDs when tied to an identifiable patient record.

Media and biometrics

• Full-face photos, diagnostic images (e.g., x-rays with name/ID), and voice recordings used in care.
• Biometric templates such as fingerprints, retinal scans, or voiceprints connected to health services.

Exclusions from HIPAA Protection

Not all personal health information is PHI. HIPAA excludes several categories outright, even when the information concerns health.

• FERPA Education Records Exclusion: Student education records (and most student health clinic records maintained by a school) are governed by FERPA, not HIPAA.
• Employment records held by an employer in its role as employer (e.g., FMLA documents, workplace injury logs, pre-employment drug tests kept in HR files).
• Information about a person deceased for more than 50 years no longer qualifies as PHI.
• De-identified data that meets HIPAA’s De-identification Standards (explained below).

Remember: the same data may be PHI in one context and not in another. When a hospital stores a heart-rate trace for treatment, it is PHI; when a consumer app collects similar data independently of a Covered Entity, it may fall outside HIPAA.

Understanding De-identified Health Data

De-identified data is information that does not identify an individual and where the risk of re-identification is very small. HIPAA recognizes two methods for de-identification.

Expert Determination

A qualified expert applies accepted statistical or scientific principles to conclude the risk of re-identification is very small and documents the methods and results.

Safe Harbor (HIPAA Identifier Removal)

Specific direct identifiers are removed—such as names, precise geography below state, most date elements (except year), contact numbers, account numbers, full-face photos, biometric identifiers, URLs, IP addresses, and similar identifiers—and the holder has no actual knowledge that remaining information could identify the individual.

Limited Data Set (LDS)

An LDS is not fully de-identified but allows certain elements (e.g., city, state, ZIP code; dates like admission, discharge, service, birth, and death) for research, public health, or health care operations under a Data Use Agreement. It remains subject to HIPAA, unlike fully de-identified data.

Health Information Outside HIPAA Scope

HIPAA applies to health plans, most health care providers that transmit standard transactions, and health care clearinghouses—plus their Business Associates. Many other organizations and contexts fall outside HIPAA even when handling health-related data.

• Consumer apps and wearables collecting data directly from you (e.g., fitness, sleep, menstrual tracking) when not acting on behalf of a Covered Entity.
• Direct-to-consumer services (e.g., certain genetic tests) that operate independently of Covered Entities.
• Life, disability, and long-term care insurers; data brokers; and marketing platforms using health-related inferences outside a HIPAA relationship.
• Employer wellness programs run outside the group health plan structure, and website analytics/cookies on health sites not tied to care delivery by a Covered Entity.
• Health information you keep for personal use—journals, home logs, or smartphone notes—until you share it with a Covered Entity.

Legal Implications of HIPAA Protection

HIPAA’s Privacy, Security, and Breach Notification Rules set the baseline for using, disclosing, safeguarding, and reporting incidents involving PHI. Violations can trigger enforcement by the HHS Office for Civil Rights, corrective action plans, civil monetary penalties, and, for certain wrongful disclosures, potential criminal liability.

HIPAA is a federal floor. State privacy laws may be more protective; when they are, Covered Entities must meet the stricter standard. While HIPAA generally does not create a private right of action, individuals may pursue remedies under other laws if their information is mishandled.

Compliance Requirements for Covered Entities

Governance and policies

• Designate privacy and security officials and adopt written policies and procedures for Protected Health Information Compliance.
• Publish a Notice of Privacy Practices and honor patient rights (access, amendments, restrictions, confidential communications, and an accounting of disclosures).
• Train the workforce routinely and document sanctions for violations.

Risk management and safeguards

• Conduct an enterprise-wide risk analysis and implement administrative, physical, and technical safeguards for ePHI (access controls, audit logging, transmission security, facility security, and contingency plans).
• Apply the minimum necessary standard and role-based access; encrypt data at rest and in transit where feasible.
• Manage identity and device security, including mobile and remote access.

Third parties and data lifecycle

• Execute Business Associate Agreements before sharing PHI; monitor vendors’ security posture.
• Follow retention schedules and secure disposal; use HIPAA Identifier Removal or other De-identification Standards when sharing data that does not need identifiers.
• Prepare and test incident response, including Breach Notification procedures and timely patient and regulator notices when required.

Summary

HIPAA protects PHI when it is Individually Identifiable Health Information handled by Covered Entities or Business Associates. Fully de-identified data falls outside HIPAA, and some records—like FERPA-governed education records and employer HR files—are excluded. Effective compliance requires sound governance, layered safeguards, vendor oversight, and a disciplined approach to data minimization and disclosure.

FAQs

What types of records qualify as PHI under HIPAA?

Any record that contains Individually Identifiable Health Information about a person’s health status, care, or payment for care, and is created or used by a Covered Entity or its Business Associate, qualifies as PHI. This spans clinical notes, lab results, images, billing and claims data, messages about treatment, and related identifiers.

How is de-identified data treated under HIPAA?

Data that meet HIPAA’s De-identification Standards—via Expert Determination or Safe Harbor HIPAA Identifier Removal—is not PHI and is not regulated by HIPAA. A Limited Data Set can be shared for specific purposes under a Data Use Agreement but remains subject to HIPAA.

Which health records are excluded from HIPAA protection?

FERPA-governed student education records, employment records held by an employer in its HR role, data about individuals deceased more than 50 years, and properly de-identified datasets are excluded. Health data collected by consumer apps outside a Covered Entity relationship also typically falls outside HIPAA.

What obligations do covered entities have regarding PHI?

Covered Entities must follow the Privacy, Security, and Breach Notification Rules: limit uses and disclosures, uphold patient rights, implement administrative/physical/technical safeguards, conduct risk analyses, train staff, manage Business Associates with contracts, and report breaches while continuously improving Protected Health Information Compliance.