PHI stands for Protected Health Information. It’s a legal term from HIPAA (the Health Insurance Portability and Accountability Act) that refers to any health-related information that can be tied back to a specific person. For data to qualify as PHI, it has to meet two conditions: it must relate to someone’s health, healthcare, or payment for healthcare, and it must include details that could identify who that person is.
What Counts as Protected Health Information
PHI is broader than most people realize. It covers more than your diagnosis or medical history. Any information created or collected during healthcare that could identify you falls under the definition. That includes billing records, lab results, appointment notes, insurance claims, prescription records, and even conversations between your doctor and another provider about your care.
The identifying piece is critical. A dataset showing that 500 patients in a state had the flu last year isn’t PHI because no one can be singled out. But the moment a name, date of birth, or medical record number gets attached, the same information becomes PHI and triggers legal protections.
The 18 Identifiers That Make Health Data PHI
HIPAA defines exactly 18 types of identifiers. When any of these are linked to health information, the data is considered PHI:
- Names
- Geographic data smaller than a state (street address, city, ZIP code)
- Dates directly tied to a person (birth date, admission date, discharge date, death date), plus all ages over 89
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers (including license plates)
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric data (fingerprints, voiceprints)
- Full-face photographs or comparable images
- Any other unique identifying number or code
To strip data of its PHI status, all 18 identifiers must be removed. This process is called de-identification, and once it’s done, the data is no longer subject to HIPAA rules. There’s one small exception for ZIP codes: the first three digits can remain if the geographic area they represent contains more than 20,000 people.
Who Is Required to Protect PHI
Not every organization that touches health data is bound by HIPAA. The law applies specifically to three types of “covered entities”: healthcare providers (doctors, hospitals, clinics, pharmacies, dentists, psychologists, nursing homes), health plans (insurance companies, HMOs, employer health plans, Medicare, Medicaid, veterans programs), and healthcare clearinghouses (organizations that process health data between providers and insurers).
Healthcare providers only count as covered entities if they transmit information electronically for standard transactions like billing or insurance claims. A small practice that operates entirely on paper, in theory, falls outside HIPAA’s reach.
Beyond those three categories, any company hired by a covered entity to handle PHI on its behalf is considered a “business associate” and must follow the same rules. Think cloud storage providers, billing companies, IT firms, and shredding services. A written contract must spell out exactly how the business associate will protect the data, and they’re directly liable for violations.
If an organization isn’t a covered entity or business associate, HIPAA doesn’t apply to it. This is why health data you enter into a fitness app, a wellness website, or a consumer DNA testing kit typically has no HIPAA protection at all.
Electronic PHI Has Extra Requirements
When PHI exists in digital form, it’s called ePHI, and HIPAA’s Security Rule adds a layer of specific safeguards. Organizations must run risk assessments to find vulnerabilities, designate a security official responsible for ePHI policies, and train every employee on data security practices.
On the technical side, they need access controls so only authorized people can view records, audit systems that log who accessed what and when, integrity checks to confirm data hasn’t been altered, identity verification for anyone requesting access, and encryption or other measures to protect data sent over networks. These requirements exist because electronic records can be copied, transmitted, and stolen at a scale that paper records never could.
What Happens When PHI Is Mishandled
HIPAA violations carry financial penalties organized into four tiers based on how culpable the organization was. As of 2024, the penalty structure looks like this:
- Tier 1, no knowledge of the violation: $141 to $71,162 per incident
- Tier 2, reasonable cause but not willful neglect: $1,424 to $71,162 per incident
- Tier 3, willful neglect corrected within 30 days: $14,232 to $71,162 per incident
- Tier 4, willful neglect not corrected within 30 days: $71,162 to $2,134,831 per incident
Each tier carries an annual cap of roughly $2.13 million for repeated violations of the same provision. Criminal penalties, including prison time, can apply in cases of intentional misuse.
Health Data That Isn’t PHI
Several categories of health-related information fall outside HIPAA’s definition. Employment records that a covered entity keeps in its role as an employer aren’t PHI, even if they contain health details like sick days or workers’ compensation claims. Educational records covered by the Family Educational Rights and Privacy Act (FERPA) are also excluded, which is why a school nurse’s records follow different rules than a hospital’s.
The biggest gap in coverage is consumer health data. The steps you log on your smartwatch, the symptoms you type into a health chatbot, the mental health app on your phone: none of this is PHI unless it’s collected by or shared with a HIPAA-covered entity. You can share deeply sensitive health information with a tech company, and HIPAA offers zero protection for it.
New Protections for Reproductive Health Records
A 2024 update to the HIPAA Privacy Rule added specific protections for reproductive healthcare PHI. Covered entities and their business associates are now prohibited from disclosing PHI for the purpose of investigating or penalizing someone for seeking, obtaining, providing, or facilitating reproductive healthcare that was lawful where it was performed. They also cannot release PHI to help identify a person for such an investigation.
The rule includes a presumption that reproductive care provided by someone other than the entity receiving the request was lawful, unless the entity has actual knowledge otherwise or receives factual evidence to the contrary. This change was designed to prevent medical records from being used as tools for enforcement in states with restrictive reproductive health laws.