Protected health information (PHI) is any health-related data that can be tied to a specific person. A medical record with your name on it, a billing statement for a surgery, a lab result linked to your date of birth: all of these are examples of PHI. The key is that two elements must be present at the same time. There must be information about a person’s health, treatment, or payment for care, and there must be at least one piece of data that identifies who that person is.
What Makes Health Data “Protected”
Under HIPAA’s Privacy Rule, PHI is individually identifiable health information that is created, received, maintained, or transmitted by a covered entity. “Covered entity” means a health care provider (doctor’s office, hospital, pharmacy, clinic), a health plan (insurance company, HMO, Medicare, Medicaid), or a health care clearinghouse that processes claims.
The definition is deliberately broad. It covers information about a person’s past, present, or future physical or mental health condition, the care they received, and how that care was or will be paid for. It applies whether the information is stored electronically, written on paper, or spoken aloud.
The 18 Identifiers That Create PHI
Health data becomes PHI when it’s paired with any of 18 specific identifiers listed in the HIPAA Safe Harbor standard. Remove all 18, and the data is considered de-identified and no longer protected. Leave even one attached to health information, and it qualifies as PHI. The full list:
- Names
- Geographic data smaller than a state (street address, city, county, ZIP code)
- Dates related to the individual (birth date, admission date, discharge date, death date, and all ages over 89)
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and license plate numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographs or comparable images
- Any other unique identifying number, characteristic, or code
That last category is a catch-all. It covers things like patient ID codes assigned by a hospital system or any other number that could link back to a single person.
Concrete Examples of PHI
If you’re looking at a multiple-choice question or trying to identify PHI in a real workplace scenario, these are clear-cut examples:
- A radiology report with a patient’s name and date of birth
- A hospital billing record that includes a diagnosis code and the patient’s address
- An insurance claim form listing a procedure, the patient’s health plan number, and their Social Security number
- A therapist’s session notes stored in an electronic health record
- A prescription label from a pharmacy (it contains the patient’s name, the medication, and often an address)
- An appointment reminder sent by text that includes the patient’s name and the reason for the visit
Even something that seems purely administrative, like a scheduling system, becomes PHI the moment it links a patient’s name to the fact that they’re receiving care. The health connection doesn’t have to be a diagnosis. Simply confirming that a named individual is a patient at a facility counts.
What Does Not Count as PHI
Health data stripped of all 18 identifiers is not PHI. A spreadsheet of blood pressure readings with no names, dates, or other identifying details attached is just health data, not protected health information.
There are also important structural exceptions. Student health records at universities that receive Department of Education funding fall under a different law (FERPA) and are not treated as PHI. Employment records, even those containing health information like a workers’ compensation file, are excluded when held by the employer in its role as employer rather than as a health care provider.
Research data can also fall outside HIPAA’s reach. If a researcher collects health-related information that never enters a medical record and isn’t derived from a health care service event, it’s not PHI under HIPAA, though other privacy rules still apply. Aggregated data sets and diagnostic tests whose results never go into a patient chart are common examples.
How PHI Differs From PII
Personally identifiable information (PII) is any data that can identify someone: a name, phone number, Social Security number. PHI is a subset of PII that specifically involves a health, treatment, or payment connection held by a covered entity. Your name and phone number on a mailing list is PII. Your name and phone number in a hospital’s electronic health record is PHI, because it sits alongside your medical data.
This distinction has a practical twist. When personally identifiable information is added to the same record set as health information, it assumes the same protections as PHI. If a hospital adds a patient’s spouse’s name and phone number to the electronic health record for post-discharge coordination, that contact information becomes PHI even though it doesn’t describe anyone’s medical condition. Before it was added to the health record, it was just PII.
Health Apps and Wearable Devices
Data from consumer fitness trackers and health apps generally is not PHI, because those companies are not HIPAA-covered entities. Your step count on a Fitbit or heart rate data in a standalone wellness app falls outside HIPAA’s scope, regardless of how sensitive it feels.
The situation changes when a covered entity is involved. If a health clinic offers its own diabetes management app where patients log glucose levels and insulin doses, the data transmitted through that app is PHI. The patient’s use of the app relates to their health condition, and any identifying information collected by the app (name, phone number, device ID, IP address) pairs with that health data to meet the definition. The same logic applies to patient portals, online bill-pay systems, and telehealth platforms operated by or on behalf of a covered entity.
How Data Becomes De-identified
HIPAA allows two paths to strip PHI of its protected status. The Safe Harbor method requires removing all 18 identifiers listed above, with no actual knowledge that the remaining data could identify someone. The Expert Determination method allows a qualified statistician to analyze the data and certify that the risk of re-identification is very small. Once data is properly de-identified by either method, HIPAA restrictions no longer apply to it, and it can be shared freely for research, analytics, or other purposes.
For dates, the Safe Harbor standard allows the year to remain but requires removal of the month and day. Ages over 89 must be grouped into a single “90 or older” category. For ZIP codes, only the first three digits may be kept, and only if that three-digit zone has a population of more than 20,000 people.