Protected health information (PHI) is any individually identifiable health information held by a healthcare provider, health insurer, or their partners. Under the HIPAA Privacy Rule, PHI covers information in any form, whether electronic, paper, or spoken aloud, that relates to a person’s past, present, or future health, the care they received, or how that care was paid for. For data to qualify as PHI, it must also identify the person or provide a reasonable basis for someone to figure out who they are.
What Makes Health Information “Protected”
Two conditions must both be true for health data to count as PHI. First, the information has to relate to someone’s physical or mental health, the healthcare they received, or payment for that care. Second, it has to be linkable to a specific person. A lab result showing high cholesterol, on its own, isn’t PHI. But attach a name, date of birth, or medical record number to that result, and it becomes PHI subject to HIPAA’s protections.
This definition is deliberately broad. It covers obvious items like doctor’s notes and prescriptions, but also billing records, insurance claims, appointment scheduling details, and even demographic data like your home address if it’s stored alongside health information. PHI also remains protected for 50 years after a person’s death.
The 18 Identifiers That Trigger HIPAA Protection
HIPAA specifies 18 types of identifiers. When any of these appear alongside health data, the information is PHI. The full list:
- Names
- Geographic data smaller than a state (street address, city, county, ZIP code)
- Dates directly related to a person (birth date, admission date, discharge date, death date), plus all ages over 89
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers (including license plates)
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographs or comparable images
- Any other unique identifying number, characteristic, or code
That last catch-all category is important. It means that even a proprietary patient ID code created by a hospital counts as an identifier. If health data is linked to anything that could single out a specific person, HIPAA treats it as PHI.
Who Is Required to Protect PHI
HIPAA doesn’t apply to everyone who handles health data. It applies to “covered entities” and their “business associates.” Covered entities fall into three categories:
- Healthcare providers such as doctors, clinics, dentists, psychologists, chiropractors, nursing homes, and pharmacies, but only if they transmit information electronically in connection with standard transactions like insurance claims
- Health plans including insurance companies, HMOs, employer-sponsored health plans, and government programs like Medicare, Medicaid, and veterans’ health programs
- Healthcare clearinghouses, which are entities that convert nonstandard health data into standardized electronic formats
Business associates are companies or individuals that perform services for a covered entity and handle PHI in the process. Think billing companies, IT contractors, cloud storage providers, or law firms. A covered entity must have a written contract with each business associate that spells out how PHI will be protected. Business associates are directly liable for certain HIPAA violations, not just the covered entity that hired them.
What PHI Does Not Cover
Health-related data that sits outside the covered entity system is not PHI under HIPAA. Your fitness tracker data, the health information you voluntarily share on a social media platform, and the health records your employer keeps for workplace safety purposes are all outside HIPAA’s reach. Education records protected by FERPA (the federal student privacy law) are also excluded, even if they contain health information like immunization records or school nurse visit logs.
This distinction trips people up. If you use a consumer health app that isn’t connected to a healthcare provider or insurer, that app likely isn’t a covered entity and isn’t bound by HIPAA, regardless of how sensitive the data might be.
Electronic PHI (ePHI)
Electronic protected health information, or ePHI, is simply PHI that’s created, stored, transmitted, or received in digital form. This includes data in electronic medical records, emails between providers, insurance claims submitted online, and digital lab results. HIPAA’s Security Rule sets specific standards for protecting ePHI’s confidentiality, integrity, and availability, covering requirements like encryption, access controls, and audit trails. Paper records and verbal conversations fall under the broader Privacy Rule but not the Security Rule.
PHI vs. PII
Personally identifiable information (PII) is a broader category that includes any data capable of identifying a person, such as a name, address, or Social Security number. PHI is a subset: it’s PII that also involves health, healthcare, or healthcare payment information and is held by a covered entity. Your name and address on a retail loyalty card is PII but not PHI. That same name and address on a hospital billing record is both.
Your Rights Over Your PHI
HIPAA gives you a set of concrete rights regarding your own health information. Covered entities must comply with your right to:
- Access and copy your health records
- Request corrections to inaccurate information
- Receive a privacy notice explaining how your information may be used and shared
- Authorize or deny certain uses of your data, such as marketing
- Request restrictions on how a covered entity uses or discloses your information
- Get an accounting of disclosures, a report showing when and why your PHI was shared
These aren’t suggestions. Covered entities are legally required to honor these requests, though there are limited exceptions (for instance, psychotherapy notes may have different access rules).
How PHI Gets De-Identified
Once health data is properly de-identified, it’s no longer PHI and no longer subject to HIPAA restrictions. This is how researchers, public health agencies, and companies can work with large health datasets without violating privacy rules. HIPAA permits two methods for de-identification.
The Safe Harbor method requires stripping all 18 identifiers from the data and confirming that the remaining information couldn’t reasonably be used to identify anyone. There are some nuances: the first three digits of a ZIP code can remain if that ZIP code prefix covers more than 20,000 people, and years can stay as long as more specific date elements (month, day) are removed. Ages over 89 must be grouped into a single “90 or older” category.
The Expert Determination method uses a qualified statistician or data scientist who applies accepted scientific methods to assess whether the remaining data poses a very small risk of re-identification. The expert must document their methods and conclusions. This approach allows more data to be retained than Safe Harbor, but it requires specialized analysis and costs more to implement.