Which of the Following Statements About Protected Health Information (PHI) Is True? Key HIPAA Facts and Examples

When you handle health data, small misunderstandings can trigger big compliance risks. This guide clarifies what is actually true about protected health information under HIPAA, using clear definitions, concrete examples, and common exclusions so you can apply the rules with confidence.

Definition of Protected Health Information

Protected Health Information (PHI) is Individually Identifiable Health Information created, received, maintained, or transmitted by a HIPAA Covered Entity or its Business Associates. It relates to an individual’s past, present, or future physical or mental health or condition, the provision of healthcare, or payment for healthcare, and it can exist in any form—paper, verbal, or electronic.

In plain terms, information becomes PHI when two elements meet: it identifies (or can reasonably identify) a person, and it carries a health, care, or payment context tied to a covered relationship. If either element is missing, the information is not PHI.

• True: PHI must be identifiable and connected to health, care, or payment.
• True: PHI can exist in any medium, including conversations, printouts, and databases.
• True: HIPAA applies when Covered Entities or Business Associates handle the data.

Forms of Protected Health Information

PHI is not limited to medical charts. Any medium that stores or conveys identifiable health information is in scope. You should inventory all channels where PHI might appear to close visibility gaps.

• Paper: registration forms, consent forms, printed lab reports, faxed referrals, mailed EOBs.
• Verbal: care-team huddles, voicemails to patients, discharge instructions, telehealth calls.
• Electronic: EHR entries, patient portal messages, claims files, emails, texts, e-faxes, backups.
• Images and media: radiology images, wound photos, full-face photos, audio/video recordings.
• Device and metadata: medical device outputs, appointment calendars, logs with identifiers.

Examples of Protected Health Information

PHI includes any combination of health-related details and identifiers that can single out a person. The list below shows common, practical examples you are likely to encounter day to day.

• Name plus diagnosis (for example, “Alex Chen—type 1 diabetes”).
• Medical record number, account number, prescription number, or claims ID tied to services.
• Contact details used in care, such as phone, email, or mailing address on a patient file.
• Government or payer identifiers connected to treatment or billing (SSN, Medicare/Medicaid ID).
• Dates related to care or payment (admission, discharge, procedure, birth) when identifiable.
• Biometric identifiers and images, such as fingerprints or full-face photographs used in care.
• Device identifiers, IP addresses, or geolocation data when associated with a patient portal or EHR activity.

Exclusions from Protected Health Information

Not all health-related data is PHI. Knowing the exclusions helps you apply the right safeguards while avoiding over-classification that hinders operations.

• De-identified Information: data stripped of identifiers under HIPAA’s safe harbor or expert determination methods, with no reasonable basis to identify an individual.
• Employment records held by a Covered Entity in its role as employer (for example, FMLA files in HR), even if health-related.
• Education records covered by FERPA and related treatment records from schools or universities.
• Information about a person deceased for more than 50 years (beyond HIPAA’s PHI protection period).
• Consumer health data collected by apps or devices that are not acting for a Covered Entity or Business Associate (these may be governed by other laws, but not HIPAA).

Important: a limited data set is still PHI (with certain identifiers removed) and requires a data use agreement—it is not de-identified under HIPAA.

Electronic Protected Health Information

Electronic PHI (ePHI) is PHI that you create, receive, maintain, or transmit electronically. Because digital systems concentrate risk, safeguards must address data at rest, in transit, and in use across the full lifecycle—from capture and storage to sharing and disposal.

• Access controls and authentication to ensure only authorized users see ePHI.
• Encryption for data in transit and at rest to render “unsecured PHI” unreadable if breached.
• Audit logs, activity monitoring, and integrity controls to detect and investigate incidents.
• Contingency planning, backups, and disaster recovery to maintain availability.
• Mobile device, telehealth, cloud, and third-party risk management to close common gaps.

Covered Entities and Business Associates

Covered Entities include healthcare providers that transmit health information electronically for standard transactions, health plans, and healthcare clearinghouses. Business Associates are vendors or partners that create, receive, maintain, or transmit PHI on behalf of a Covered Entity.

• Covered Entities: hospitals, clinics, physician practices, pharmacies, labs, health plans, TPAs.
• Business Associates: EHR and billing vendors, cloud and data hosting providers, MSPs, transcription services, analytics firms, and subcontractors handling PHI.
• Business Associate Agreements (BAAs) are required to define permitted uses and safeguards.

HIPAA Privacy and Security Rules

The HIPAA Privacy Rule governs how PHI may be used and disclosed and grants patient rights, such as access, amendments, and an accounting of certain disclosures. It also establishes the “minimum necessary” standard to limit PHI to what is needed for the task.

The HIPAA Security Rule sets administrative, physical, and technical safeguards for ePHI. You must perform risk analyses, implement workforce training and sanctions, manage third-party risk, and apply controls like encryption, access management, and audit logging.

The Breach Notification Rule requires notification to affected individuals, regulators, and in some cases the media when unsecured PHI is compromised. Timely assessment and documentation are essential, including a risk assessment of the likelihood that PHI was compromised.

FAQs

What information qualifies as protected health information?

PHI is Individually Identifiable Health Information created or received by a Covered Entity or Business Associate that relates to health, care delivery, or payment. If a person can be identified and the context is health-related, it is PHI.

How does HIPAA define electronic PHI?

Electronic PHI (ePHI) is any PHI stored or transmitted electronically, such as EHR entries, portal messages, claims files, emails, or backups. The HIPAA Security Rule sets specific safeguards for ePHI across systems and vendors.

Who are considered covered entities under HIPAA?

Covered Entities are health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically in standard transactions. Their Business Associates and applicable subcontractors must also protect PHI under BAAs.

What types of information are excluded from PHI?

De-identified Information, FERPA education records, employment records held by a Covered Entity in its role as employer, and data about a person deceased for more than 50 years are excluded. Consumer health data not handled for a Covered Entity may also fall outside HIPAA, though other laws can apply.