When Does PII Become PHI in Healthcare? A HIPAA Guide with Examples

Definition of Personally Identifiable Information

Personally Identifiable Information (PII) is any data that identifies, relates to, or can reasonably be linked to a specific person. It includes direct identifiers such as your name or Social Security number and indirect identifiers like an IP address or device ID that, when combined with other data, can single you out.

PII is a broad, industry-agnostic concept used across sectors from finance to retail. On its own, PII is not regulated by HIPAA. Outside a healthcare context—or when handled by an organization that is not a HIPAA-covered entity or its business associate—PII remains simply PII.

When PII is rendered so it can no longer identify you (for example, through aggregation or rigorous masking), it becomes de-identified data. De-identified data falls outside HIPAA’s scope because it cannot be tied back to an individual.

Definition of Protected Health Information

Protected Health Information (PHI) is a HIPAA term for individually identifiable health information that is created, received, maintained, or transmitted by a HIPAA-covered entity or a business associate. It must relate to your past, present, or future physical or mental health or condition, the provision of care, or payment for care.

HIPAA-covered entities include health plans, healthcare clearinghouses, and most healthcare providers that conduct standard electronic transactions. A business associate is a vendor or subcontractor that performs services for a covered entity and needs access to PHI to do so. PHI can exist in any form—paper, verbal, or electronic (ePHI).

Certain information is expressly excluded from PHI, such as employment records a covered entity holds in its role as an employer, and education records protected by FERPA. Properly de-identified data is also not PHI.

Transformation Process from PII to PHI

PII becomes PHI when three conditions are met: (1) a HIPAA-covered entity or its business associate creates, receives, maintains, or transmits the data; (2) the data relates to health, care delivery, or payment for care; and (3) the person can be identified directly or indirectly. The moment all three apply, the PII is transformed into PHI and HIPAA protections attach.

Quick decision framework

• Who holds or uses the data? If it’s a covered entity or business associate, continue.
• What is the context? If the purpose involves care, benefits, or payment, continue.
• Can the person be identified? If yes, you are dealing with PHI.

Context is critical. The same email address is ordinary PII on a retail newsletter list, but it is PHI when a clinic uses it to send an appointment reminder because it ties identity to healthcare services.

Examples of PII Becoming PHI

• Your name and appointment date stored in a hospital’s scheduling system. The identity-healthcare link makes it PHI.
• An email address collected through a patient portal to deliver lab results. It is PHI because a covered entity uses it for care delivery.
• An IP address and device identifier captured by a telehealth platform when you check in for a virtual visit. In this context, the technical identifiers are PHI.
• A billing address and account number on a health plan claim. These identifiers relate to payment for care, so they are PHI.
• Remote monitoring device serial numbers paired with your readings in a home-care program. The device data becomes PHI because it identifies you and relates to health services.
• Not PHI: Your employer’s sick-leave notes in its HR files (employment records) or your step-count data in a consumer fitness app with no covered entity or business associate involved. These remain PII unless brought under a HIPAA relationship.

HIPAA's 18 Identifiers for PHI

HIPAA’s Safe Harbor method names 18 identifiers that, when present with health-related content held by a covered entity or business associate, make information individually identifiable. Removing them is one path to de-identification.

• Names
• Geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code, and equivalents; limited exceptions for certain three-digit ZIP codes)
• All elements of dates (except year) directly related to an individual, and all ages over 89 (unless aggregated as 90+)
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (for example, finger and voice prints)
• Full-face photographs and comparable images
• Any other unique identifying number, characteristic, or code (with limited exceptions for internal re-identification codes)

De-Identification of PHI

De-identification removes or obfuscates the ability to tie information back to you, converting PHI into de-identified data. HIPAA recognizes two methods: Safe Harbor and Expert Determination.

Safe Harbor

Remove all 18 identifiers for the individual, relatives, household members, and employers, and have no actual knowledge that the remaining information could identify the person. This includes handling special cases like three-digit ZIP codes and ages over 89.

Expert Determination

A qualified expert uses accepted statistical or scientific methods to determine that the risk of re-identification is very small and documents the methods and results. This can preserve more data utility than Safe Harbor while managing risk.

Limited Data Set note

A limited data set is not fully de-identified; certain identifiers remain removed, but some elements like city, state, ZIP code, and relevant dates may stay. Use requires a data use agreement and still falls under HIPAA controls.

HIPAA Privacy and Security Rules Overview

Privacy Rule

The Privacy Rule governs how covered entities and business associates may use and disclose PHI. It embodies the minimum necessary standard, grants you rights to access and request corrections, and requires role-based controls and auditing of disclosures where appropriate.

Security Rule

The Security Rule applies to electronic PHI and requires a risk-based program of administrative safeguards, physical safeguards, and technical safeguards. Expect measures such as risk analysis, workforce training, access management, encryption, audit logging, integrity controls, and secure transmission.

Breach Notification

Under HIPAA’s breach notification requirements, entities must assess incidents for compromise, mitigate harm, and, when a breach occurs, notify affected individuals without unreasonable delay and within required timelines. Depending on scale, notification may also go to regulators and, in large breaches, to the media. Business associates must notify the covered entity so timely notices can be made.

Conclusion

PII becomes PHI when it is held by a HIPAA-covered entity or business associate and ties an identifiable person to health, care, or payment details. Knowing the 18 identifiers, when context converts PII into PHI, and how de-identification works helps you manage data lawfully while keeping it useful for care, operations, and improvement.

FAQs

What is the difference between PII and PHI?

PII is any data that identifies you in any context. PHI is a HIPAA-specific subset: individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate that relates to health, care, or payment. All PHI includes PII, but not all PII is PHI.

When does PII qualify as PHI under HIPAA?

PII qualifies as PHI when a HIPAA-covered entity or its business associate handles it in connection with health, care delivery, or payment, and the person can be identified. Ask: Who has it? What is the purpose? Can the individual be identified? If all three are yes, it is PHI.

How are PHI breaches handled under HIPAA?

Entities conduct a risk assessment, contain and investigate, and notify affected individuals without unreasonable delay and within applicable timelines. Depending on the incident size, they also notify regulators—and, for large breaches, the media. Security programs must include administrative safeguards and technical safeguards to reduce breach risk, and business associates have corresponding duties.

What are the 18 identifiers that make PII become PHI?

They include: names; geographic data smaller than a state; all elements of dates (except year) and ages over 89; phone and fax numbers; email addresses; Social Security, medical record, health plan beneficiary, and account numbers; certificate/license numbers; vehicle and device identifiers; URLs; IP addresses; biometric identifiers; full-face photos; and any other unique identifying number, characteristic, or code.