In healthcare, PHI stands for Protected Health Information. It refers to any health-related data that can be linked to a specific person, and it sits at the center of the privacy framework created by HIPAA, the Health Insurance Portability and Accountability Act of 1996. Understanding what counts as PHI matters because it determines what information about you is legally protected and who can access it.
What Qualifies as PHI
PHI isn’t just your medical diagnosis or lab results. It’s any piece of health information that’s connected to something that identifies you. A blood pressure reading on its own isn’t PHI. But that same reading attached to your name, date of birth, or medical record number becomes PHI and triggers legal protections.
HIPAA defines 18 specific identifiers that turn health data into PHI when they’re linked to information about a person’s health, treatment, or payment for care:
- Names
- Geographic data smaller than a state (street address, city, ZIP code)
- Dates directly related to an individual (birth date, admission date, discharge date, date of death), plus all ages over 89
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and license plate numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographs
- Any other unique identifying number or code
If all 18 identifiers are stripped from health data, and there’s no reasonable way to trace it back to a person, the information is considered “de-identified” and no longer subject to HIPAA restrictions.
PHI vs. PII
You’ll sometimes see PII, or Personally Identifiable Information, mentioned alongside PHI, and the two overlap but aren’t the same thing. PII is a broader category that covers any data that could identify a person, like a name, address, or Social Security number, regardless of context. PHI is specifically health information tied to an identifier. Your name on a mailing list is PII. Your name on a prescription record is PHI. The distinction matters because PHI is governed by HIPAA’s privacy and security rules, while PII alone is not.
Who Is Required to Protect PHI
HIPAA doesn’t apply to every organization that touches health data. It applies to “covered entities,” which fall into three categories: healthcare providers (doctors, clinics, dentists, pharmacies, nursing homes, psychologists) who transmit information electronically, health plans (insurance companies, HMOs, Medicare, Medicaid, employer-sponsored plans), and healthcare clearinghouses that process billing and claims data.
Beyond covered entities, HIPAA also reaches “business associates,” the companies and contractors that handle PHI on behalf of a covered entity. This includes IT vendors, billing services, cloud storage providers, and consultants. A covered entity must have a written agreement with each business associate specifying how PHI will be protected, and business associates are directly liable for compliance.
If an organization doesn’t fall into either category, HIPAA doesn’t apply to it. This is a bigger gap than most people realize.
What Doesn’t Count as PHI
Several types of health-related data fall outside HIPAA’s definition of PHI. Employment records that a covered entity maintains in its role as an employer are excluded, even if they contain health information like sick leave or workers’ compensation details. Education records covered by the Family Educational Rights and Privacy Act (FERPA) are also excluded.
Data from consumer fitness trackers, health apps, and wearable devices generally isn’t PHI either, as long as it stays between you and the app company. HIPAA only kicks in when wearable data is sent directly to a provider’s electronic health record system or otherwise flows through a covered entity or business associate. If you’re logging steps on a smartwatch and that data never reaches your doctor’s office, it has no HIPAA protection.
Penalties for Mishandling PHI
HIPAA violations carry civil penalties organized into four tiers based on the level of fault. Unknowing violations range from $100 to $50,000 per incident. Violations due to reasonable cause (the organization should have known better) start at $1,000 per incident. Willful neglect that gets corrected in time starts at $10,000. Willful neglect that goes uncorrected carries a flat $50,000 per violation, with annual maximums reaching $1.5 million for repeat offenses. Criminal penalties, including imprisonment, can apply in cases of deliberate misuse.
Recent Changes to PHI Protections
In 2024, HHS finalized a rule specifically addressing reproductive health information. The rule prohibited covered entities and business associates from disclosing PHI for the purpose of investigating or penalizing someone for seeking, obtaining, providing, or facilitating lawful reproductive healthcare. Under the rule, entities receiving requests for reproductive health records from law enforcement or courts would need a signed attestation confirming the request wasn’t for a prohibited purpose.
Most of that rule was vacated by a federal court order in June 2025. However, certain updates to the Notice of Privacy Practices, the document that explains how your health information is used, remain in effect, with a compliance deadline of February 2026. The legal landscape around reproductive health PHI continues to shift.