Protected health information, or PHI, is the data HIPAA exists to safeguard. Understanding exactly what qualifies helps you apply the right protections and avoid both over- and under-classifying information.
The definition
PHI is individually identifiable health information that is held or transmitted by a covered entity or business associate, in any form, whether electronic, paper, or oral. Individually identifiable health information relates to a person's past, present, or future physical or mental health, the provision of care, or payment for care, and either identifies the person or could reasonably be used to identify them.
When PHI exists in electronic form, the Security Rule refers to it as electronic protected health information, or ePHI.
The 18 identifiers
HIPAA's Privacy Rule lists 18 categories of identifiers that, when tied to health information, make it identifiable. They include:
- Names
- Geographic data smaller than a state
- Dates directly related to an individual (birth, admission, discharge, death)
- Phone, fax, and email
- Social Security, medical record, and account numbers
- Health plan beneficiary numbers
- Device identifiers and serial numbers
- Web URLs and IP addresses
- Biometric identifiers such as fingerprints
- Full-face photographs and comparable images
- Any other unique identifying number, characteristic, or code
These identifiers also play a role in de-identification, discussed below.
What is not PHI
Health information is not PHI in every context. Two notable examples:
- Employment records. Health information a covered entity holds in its role as an employer, such as sick-leave records, is generally not PHI under HIPAA.
- Education records covered by FERPA are excluded from the Privacy Rule's definition.
Data held by organizations that are neither covered entities nor business associates is also outside HIPAA, even if it looks like health information.
De-identified data
Once health information is properly de-identified, it is no longer PHI and is not restricted by the Privacy Rule. HIPAA recognizes two methods:
| Method | How it works |
|---|---|
| Expert Determination | A qualified expert applies statistical principles and documents that the risk of re-identification is very small. |
| Safe Harbor | All 18 identifiers are removed and the entity has no actual knowledge the remaining data could identify someone. |
PHI in everyday work
PHI is easy to picture as a chart or a lab result, but it appears in many less obvious places. An appointment reminder that reveals a clinic's specialty, a voicemail confirming a prescription, a fax cover sheet, an email thread discussing a patient, an X-ray image, and even a sign-in sheet can all contain PHI. So can metadata and free-text notes within a system. Because the definition turns on whether information is individually identifiable and relates to health, care, or payment, staff should assume that anything tying a person to their care is PHI unless it has been properly de-identified. This mindset prevents the small, routine disclosures that account for many privacy complaints.
Minimum necessary and PHI
Recognizing PHI is the first step; handling it appropriately is the next. The Privacy Rule's minimum necessary standard expects organizations to limit how much PHI they use, request, or disclose to what the task actually requires. Identifying which fields in a record are truly needed for a given purpose, and restricting the rest, reduces exposure without obstructing legitimate work. Classification and minimum necessary therefore reinforce each other: you cannot limit what you have not first identified.
Why classification matters
If you treat data as PHI when it is not, you may impose needless friction. If you fail to recognize PHI, you may expose sensitive information without the safeguards the law requires. Mapping where PHI lives, including paper files, voicemails, and backups, is a foundational step in any compliance program and a prerequisite for an accurate risk analysis.