What is PHI in HIPAA? Protected Health Information under HIPAA Explained

Protected Health Information (PHI) is at the core of the Health Insurance Portability and Accountability Act (HIPAA), a pivotal piece of legislation designed to safeguard patients' personal information. 

Dealing with PHI can pose challenges and concerns, such as the risk of unauthorized access or exposure. HIPAA sets the parameters for handling PHI to prevent these risks, defining PHI as any information in a medical record that can be used to identify an individual, and that has been created, used, or disclosed in the course of providing a health care service. 

In this article, we will provide a thorough understanding of what PHI entails under HIPAA, the importance of compliance, and the rights of patients regarding their health information.

What Is Protected Health Information Under HIPAA?

Protected Health Information (PHI) under HIPAA encompasses a variety of data points that pertain to a patient's health, treatment history, and payment details. It's crucial that this information is handled with strict confidentiality to safeguard individual privacy.

What Does PHI Stand For in HIPAA?

PHI stands for Protected Health Information. The term signifies any information about health status, provision of health care, or payment for health care that can be linked to an individual. This linkage makes the information identifiable, qualifying it as PHI under HIPAA.

HIPAA Definition of PHI

Under HIPAA, the definition of PHI covers all medical records and other individually identifiable health information, whether it is communicated electronically, on paper, or orally. HIPAA regulations specifically focus on information that might be used to identify a patient, known as identifiers, which include, but are not limited to:

  • Names
  • Geographical data (smaller than a state)
  • Dates (other than year) directly related to an individual
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health insurance beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Finger or voiceprints
  • Full-face photographs

Examples of PHI:

  • Diagnostic information
  • Treatment records
  • Billing information related to healthcare services

HIPAA's Privacy Rule is mandated to protect PHI by establishing appropriate safeguards that covered entities and their business associates must comply with to prevent unauthorized access to personal health information. Covered entities include health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information.

The Importance of Understanding What PHI Means in HIPAA

In the context of the Health Insurance Portability and Accountability Act (HIPAA), PHI stands for Protected Health Information. The thorough comprehension of PHI is critical for healthcare providers, patients, and any entity handling personal medical information.

PHI encompasses a wide array of information:

  • Health status
  • Provision of health care
  • Payment for health care
  • Individual identifiers (e.g., name, Social Security numbers)

The thorough knowledge of PHI is essential, as it enables covered entities and their business associates to:

  1. Recognize: Distinguish what is considered PHI to ensure proper handling.
  2. Protect: Implement suitable safeguards to prevent unauthorized access.
  3. Comply: Adhere to regulations, avoiding hefty penalties associated with non-compliance.

Healthcare professionals must understand that PHI isn't limited to medical records; it extends to any form that can be tied to an individual, such as insurance information and even conversational remarks.

Grasping the intricacies of PHI enables entities to:

  • Empower patients with their rights over their information.
  • Forge trust between healthcare providers and their patients.
  • Support transparency in healthcare operations.

Having a concrete understanding of PHI is indispensable in the healthcare ecosystem. It ensures the ethical handling of sensitive data and maintains the integrity of healthcare operations under the governance of HIPAA.

What Information Is Protected by HIPAA? 10 Examples of PHI Under HIPAA

Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) encompasses a wide range of identifiable information that pertains to an individual's health, healthcare services, or payment for healthcare that can be linked to a specific individual. The HIPAA Privacy Rule mandates that covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, in addition to their business associates, ensure the confidentiality, integrity, and security of PHI.

Examples of PHI include, but are not limited to:

  1. Names: Full names or even last names in combination with other identifiers.
  2. Addresses: Anything more specific than state, including street address, city, county, precinct, and in most cases, zip code.
  3. Dates: Particularly those that are directly related to an individual, like birthdates, admission and discharge dates, and death dates.
  4. Phone Numbers: Individual's home, office, or mobile numbers.
  5. Fax Numbers: Used analogously with phone numbers as contact information.
  6. Email Addresses: Personal email addresses identifying an individual.
  7. Social Security Numbers: A primary identifier used across various official documents and records.
  8. Medical Record Numbers: Unique numbers assigned to individuals' health records.
  9. Health Insurance Beneficiary Numbers: Specific numbers assigned to individuals by their health insurers.
  10. Account Numbers: Related to any accounts the individual may have within a healthcare setting.

In addition to the above examples, photographic images and any unique identifying number, characteristic, or code, except the unique code assigned by the investigator to code the data, also constitute PHI when they can be used to identify an individual.

Therefore, covered entities are required by the HIPAA Privacy Rule to implement measures and policies that protect this information from unauthorized access or breaches. This includes ensuring that all forms of PHI — electronic, paper, and oral — are handled with the same level of care.

Who Is Subject to HIPAA’s Rules About PHI?

Entities that are subject to HIPAA's rules about Protected Health Information (PHI) are commonly known as "covered entities" and include a specific group of organizations and individuals that handle health-related information.

  • Health Plans: This category comprises various types of insurance plans that provide or pay for medical care, such as health, dental, vision, and prescription drug insurers, health maintenance organizations (HMOs), Medicare, Medicaid, and other government- and civilian-sponsored health programs.

  • Health Care Providers: Providers that transmit health information in electronic form in connection with a transaction for which the Department of Health and Human Services has adopted a standard are covered. This includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.

  • Health Care Clearinghouses: These entities process health information received from another entity into a standard format or vice versa. They often act as an intermediary that translates data from a healthcare provider into a format required by insurers – and vice versa.

In addition to these primary groups, business associates of covered entities also need to comply with certain HIPAA rules. These are persons or organizations, outside the covered entity's workforce, that perform functions, or provide services, involving the use or disclosure of PHI. Business associates can include third-party administrators, billing companies, lawyers, accountants, IT providers, and other vendors who have access to PHI.

Entities that fall under these classifications must adhere to HIPAA’s robust privacy and security rules to ensure the confidentiality, integrity, and availability of PHI.

What Is Not Considered PHI Under HIPAA?

While Protected Health Information (PHI) is broadly defined under the Health Insurance Portability and Accountability Act (HIPAA), not all health-related information is considered PHI. For information to be classified as PHI, it must be created, transmitted, or maintained by a covered entity or its associates and must also relate to patient care or payment for healthcare services.

Here are specific examples of information not considered PHI:

  • De-identified Data: Information that has had all personal identifiers removed, making it impossible to link the data back to an individual.
    • Removing names, addresses, social security numbers
    • Masking images or any identifying number
  • Employment Records: Information an employer collects about employees in records kept by the employer is not PHI, even if it concerns health-related issues.
    • Employement records
    • Sick leave documentation
  • Education Records: Those covered by the Family Educational Rights and Privacy Act (FERPA) are also not considered PHI.

  • Data Not Handled by Covered Entities: Information someone holds about their health that has not been shared with a covered entity remains outside the scope of PHI.
    • Self-tracked health data (e.g. apps, fitness trackers)
    • Person health records not shared with a doctor

It's important to note that although this information on its own may not be classified as PHI, once it is combined with other health information in the hands of a covered entity or its associates, it may become PHI and therefore is subject to HIPAA regulations.

What Is Considered PHI Under HIPAA: Key Takeaways

Protected Health Information (PHI) constitutes a vital component under the Health Insurance Portability and Accountability Act (HIPAA). It is information that relates to the:

  • Health status
  • Provision of health care
  • Payment for health care

of an individual, and is held by a HIPAA-covered entity or its business associate. PHI includes a wide range of identifiers that can link the information to a specific individual. Crucially, this encompasses both mental and physical health records.

Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Business associates are individuals or entities that perform certain functions or activities involving the use or disclosure of PHI on behalf of, or providing services to, a covered entity.

The following identifiers, when linked with health information, are considered PHI:

  1. Names
  2. Geographic identifiers (smaller than a state)
  3. Dates directly related to an individual
  4. Phone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plates
  13. Device identifiers and serial numbers
  14. Web Uniform Resource Locators (URLs)
  15. Internet Protocol (IP) addresses
  16. Biometric identifiers (finger, retinal prints)
  17. Full-face photographs and comparable images
  18. Any other unique identifying number or code

It's important to note that PHI extends to all forms of information—electronic, oral, and written.

The succinct identification of PHI helps ensure that healthcare providers and their associates safeguard patient information effectively, maintaining compliance with HIPAA regulations and preserving the confidentiality and integrity of patient healthcare data.


Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) is central to patient privacy and healthcare compliance, with specific regulations governing its use and protection.

How Is PHI Used in Healthcare?

PHI is used by healthcare providers to make informed decisions about patient care, treatment plans, and to coordinate care between multiple providers. It ensures continuity of care and supports healthcare administrative processes.

Who Can Access Information Under HIPAA?

Under HIPAA, access to PHI is permitted to individuals and entities covered by the act—primarily healthcare providers, payers, and clearinghouses. Patients also have rights to access their own health information.

What Is ePHI?

ePHI stands for Electronic Protected Health Information. It encompasses any PHI that is stored, transmitted, or accessed electronically, requiring additional technical safeguards under HIPAA to ensure its security.

What Are the 4 Types of PHI?

There are four broad categories of PHI:

  1. Individual identifiers (e.g., name, address)
  2. Descriptive health information (e.g., treatment details)
  3. Payment information related to healthcare
  4. Codes with health information (e.g., medical diagnosis codes)

PHI Has Been Defined in HIPAA by Which Government Agency?

PHI is defined by the Department of Health and Human Services (HHS), specifically through the Office for Civil Rights (OCR), which is responsible for enforcing HIPAA.

Is Billing Info Protected Under HIPAA?

Yes, billing information is considered PHI and is protected under HIPAA because it contains identifiers and details about healthcare services rendered.

Is Gender a HIPAA Identifier?

Gender is indeed considered an identifier under HIPAA, as it can be used in conjunction with other information to identify an individual's health records.

What Happens If Protected Health Information Gets Leaked?

If PHI is leaked, covered entities must follow breach notification rules set by HIPAA, which include notification to affected individuals, the HHS, and in some cases, to the media. Fines and penalties may be imposed depending on the severity and compliance with the rule.

What Is the Difference Between PII, PHI, and IIHA?

  • PII (Personally Identifiable Information): Any information about an individual that can be used on its own or with other information to identify, contact, or locate a single person.
  • PHI (Protected Health Information): Information related to an individual's health status, provision of healthcare, or payment for healthcare that can be linked to a specific individual.
  • IIHA (Individually Identifiable Health Information): Information that is a subset of health information, including demographic information, that can identify the individual or for which there is a reasonable basis to believe can be used to identify the individual.

Start automating your
healthcare workflows

Free trial account
Cancel anytime
Get started free