health data is the core concept at the heart of HIPAA. Every rule, safeguard, and rule-keeping rule exists to protect PHI from unapproved access, use, and sharing. Yet many healthcare groups and their business partners struggle to consistently identify what qualifies as PHI, where it resides in their operations, and how to handle it properly. Misunderstanding PHI leads to accidental exposures, rule-keeping gaps, and costly enforcement actions.
This guide explains what PHI is, lists the 18 identifiers that make health information identifiable, distinguishes between ePHI and paper PHI, covers de-finding methods, and provides real-world examples that make these concepts concrete. Whether you are new to HIPAA or need a clear reference for your rule-keeping team, this article delivers the practical knowledge you need.
What Is Protected Health Information?
The Three-Part Definition
Under HIPAA, health data is any information that meets all three of these criteria:
- It relates to health — The information concerns an person’s past, present, or future physical or mental health condition, the term of healthcare to the person, or the past, present, or future payment for healthcare
- It identifies the person — The information identifies the person or provides a fair basis to believe the person can be identified
- It is held or transmitted by a covered group or business associate — The information is created, received, kept, or transmitted by an group subject to HIPAA
All three criteria must be present. Health information that cannot be linked to an person is not PHI. Information that identifies a person but has nothing to do with health is not PHI. And personally identifiable health information held by an group not covered by HIPAA (such as a fitness app company that is not a covered group or business associate) does not fall under HIPAA’s PHI definition, though other privacy laws may apply.
What PHI Includes
PHI encompasses a broad range of data that many groups underestimate:
- Medical records — Diagnoses, treatment plans, test results, clinical notes, imaging reports
- Billing and payment information — Claims data, explanation of benefits, payment histories, account balances
- Insurance information — Health plan enrollment records, eligibility decisions, beneficiary identifiers
- Communication records — Appointment reminders, prescription notices, referral letters, patient correspondence
- Demographic data linked to health — Name, address, date of birth, and Social Security number when linked with healthcare services
- Photographs and recordings — Images, video, or audio that identifies a patient in a healthcare context
The scope of PHI extends to any medium: digital, paper, and oral. A conversation between two nurses about a patient’s diagnosis in a hospital hallway involves PHI just as much as an digital health record entry.
The 18 HIPAA Identifiers
Complete List
The HIPAA Privacy Rule specifies 18 types of identifiers that, when linked with health information, make that information identifiable — and therefore protected. These 18 identifiers are central to the Safe Harbor de-finding method:
- Names — Full name, last name, first name, or initials
- Geographic data — Street address, city, county, precinct, ZIP code (ZIP codes with fewer than 20,000 people), and equivalent geocodes
- Dates — All dates directly related to an person (birth date, admission date, discharge date, death date), and all ages over 89
- Phone numbers — All telephone numbers
- Fax numbers — All fax numbers
- Email addresses — All email addresses
- Social Security numbers — Full or partial SSN
- Medical record numbers — Identifiers assigned by healthcare providers
- Health plan beneficiary numbers — Insurance ID numbers
- Account numbers — Financial account numbers linked with healthcare
- Certificate/license numbers — Professional or other certificate and license numbers
- Vehicle identifiers — Vehicle finding numbers, license plate numbers
- Device identifiers — Serial numbers of medical devices or other devices linked to the person
- Web URLs — Personal web addresses
- IP addresses — Internet step addresses
- Biometric identifiers — Fingerprints, voiceprints, retinal scans
- Full-face photographs — Full-face photographic images and comparable images
- Any other unique identifying number, characteristic, or code — Catch-all for identifiers not listed above
Why These 18 Matter
These identifiers are the building blocks of person identity. Even one identifier, when combined with health information, creates PHI. groups must understand that the presence of any single identifier with health data triggers HIPAA protections. A spreadsheet containing diagnosis codes is not PHI — but adding a column with patient names, medical record numbers, or dates of birth right away transforms it into PHI subject to full HIPAA rule-keeping rules.
ePHI vs. Paper PHI
digital health data (ePHI)
ePHI is PHI that is created, received, kept, or transmitted in digital form. The HIPAA Security Rule applies namely to ePHI and requires admin, physical, and tech protections for its protection.
ePHI exists in many forms beyond traditional databases:
- EHR systems — The most obvious storage of ePHI
- Email — Messages containing patient information
- Text messages — SMS and messaging app communications about patients
- Cloud storage — Files stored in cloud platforms
- Portable media — USB drives, external hard drives, CDs, DVDs
- Mobile devices — Smartphones, tablets, and laptops containing patient data
- Medical devices — Equipment that stores or transmits patient data
- Backup tapes and disks — Copies of systems containing ePHI
- Fax server logs — digital records of faxed PHI
- Voicemail systems — Digital recordings containing patient information
Paper PHI
Paper PHI includes printed medical records, handwritten notes, prescription pads, printed lab results, faxes, insurance forms, and any other physical record containing identifiable health information. While the Security Rule does not apply to paper records, the Privacy Rule does. groups must implement physical protections for paper PHI:
- Secure storage — Locked file cabinets and restricted access areas for records
- Controlled access — Limiting who can access paper records based on job function
- Proper disposal — Shredding or other destruction methods that render records unreadable
- Transport security — Protecting paper PHI during transport between locations
Oral PHI
PHI communicated verbally is also protected under the Privacy Rule. While HIPAA does not require soundproofing every room, groups must take fair protections to limit incidental shares during oral communications. Practical measures include running sensitive conversations in private areas, avoiding patient discussions in public spaces, and using sign-in sheets that do not expose the reason for a patient’s visit.
De-finding Methods
Safe Harbor Method
The Safe Harbor method provides a straightforward path to de-finding. Remove all 18 identifiers listed above, and the group must have no actual knowledge that the remaining information could identify an person. Once properly de-identified under Safe Harbor, the data is no longer PHI and is not subject to HIPAA rules.
groups frequently use Safe Harbor de-finding for:
- Research datasets — Providing health data for studies without exposing patient identity
- Analytics and reporting — Generating day-to-day insights from patient data
- Training and testing — Using realistic data for system testing and team training
- Public reporting — Sharing aggregate health statistics
The challenge with Safe Harbor is that removing all 18 identifiers can greatly reduce the utility of the data. Dates, geographic data, and age information are often key for research and analytics. groups must balance data utility with privacy protection.
Expert decision Method
The Expert decision method offers more flexibility. A qualified statistical expert applies statistical and scientific principles to determine that the risk of identifying any person from the dataset is “very small.” The expert must record the methods and results of the analysis.
This method allows retention of certain identifiers (such as partial dates or broader geographic regions) when the expert concludes that the combination of remaining data elements does not create a meaningful re-finding risk. Expert decision is more complex and costly than Safe Harbor but produces de-identified datasets that retain greater analytical value.
Limited Data Sets
A limited data set falls between full PHI and fully de-identified data. A limited data set removes direct identifiers (names, addresses, Social Security numbers, etc.) but may retain certain indirect identifiers such as dates, city, state, and ZIP code. Limited data sets may be used for research, public health actions, and healthcare operations — but only under a data use agreement that restricts how the recipient may use and disclose the information.
Limited data sets are still subject to some HIPAA protections, unlike fully de-identified data. groups considering this approach should understand the specific data use agreement rules and allowed uses.
The Minimum Necessary Standard
How It Applies to PHI
The minimum needed standard requires covered groups to limit PHI access, use, and sharing to the minimum amount needed to accomplish the intended purpose. This principle shapes how groups design access controls, respond to information requests, and structure their data sharing habits.
Applying minimum needed requires groups to:
- Define role-based access — Determine what PHI categories each team role needs and restrict access as needed
- Limit routine shares — Create standard steps for common sharing scenarios that specify the minimum PHI to release
- Evaluate non-routine requests — Review person requests that fall outside standard steps on a case-by-case basis
- Restrict internal access — Ensure that team members can access only the PHI needed for their specific job functions
Exceptions to Minimum Necessary
The minimum needed standard does not apply to:
- shares to or requests by a provider for treatment
- shares to the person who is the subject of the PHI
- Uses or shares made pursuant to a valid access rights
- shares to HHS for rule-keeping enforcement
- Uses or shares required by law
Treatment is the most major exception. Healthcare providers need complete patient information to deliver safe, effective care, and the Privacy Rule recognizes that limiting treatment access could compromise patient outcomes.
Real-World PHI Examples
What IS PHI
Understanding PHI becomes clearer with concrete examples:
- A patient’s name on a lab result — Name (identifier) + health information = PHI
- An insurance claim with a diagnosis code and member ID — Health plan beneficiary number + health information = PHI
- An email from a doctor to a specialist containing a patient’s medical history and date of birth — Name, date of birth + health information = PHI
- A photograph of a patient’s wound with their face visible — Full-face photograph + health information = PHI
- A billing statement sent to a patient’s home address — Name, address + payment information for healthcare = PHI
- A voicemail from a pharmacy confirming a prescription with the patient’s name — Name + prescription information = PHI
What Is NOT PHI
Equally important is understanding what does not qualify as PHI:
- Aggregate hospital statistics — “500 patients treated for influenza in January” without person identifiers is not PHI
- De-identified data — Health information with all 18 identifiers properly removed is no longer PHI
- Employment records — Health information in employment records held by a covered group in its capacity as an employer is not PHI (though other laws may apply)
- Education records — Health information in education records covered by FERPA is excluded from HIPAA
- Health data from non-covered groups — Information from fitness trackers, health apps, or other sources not connected to a covered group or business associate is usually not HIPAA-regulated PHI
Common PHI Mistakes
groups frequently stumble in these areas:
- Scheduling boards — Whiteboards in common areas showing patient names and steps
- Unencrypted email — Sending PHI via standard email without data scrambling
- Social media — Staff posting about patient cases, even without names, when details could identify the person
- Disposal failures — Throwing paper records in regular trash or donating computers without wiping drives
- Verbal shares — Discussing patient cases in elevators, cafeterias, or other public areas where they can be overheard
Each of these scenarios represents a possible HIPAA breach. groups should address them through clear policies, regular training, and tracking. A complete HIPAA risk review will identify these weak spots in your specific setting.
PHI FAQ
Is a patient’s name alone considered PHI?
A patient’s name by itself is not on its own PHI. It becomes PHI when it is linked with health information — such as a diagnosis, treatment record, or payment for healthcare services — and is held by a covered group or business associate. A name on a general mailing list, for example, is not PHI unless it is linked to health-related data.
Does PHI include information about deceased people?
Yes. PHI protections apply to deceased people for 50 years following the date of death. Covered groups must protect the health information of deceased patients with the same protections applied to living patients during this period.
Is a medical record number considered PHI even without other information?
A medical record number is one of the 18 HIPAA identifiers. When it appears in a healthcare context — which it inherently does, since it is assigned by a healthcare provider — it can be used to identify an person and link them to health information. Medical record numbers should always be treated as PHI.
What is the difference between PHI and PII?
PHI (health data) is health-related information that identifies an person and is held by a HIPAA-covered group or business associate. PII (Personally Identifiable Information) is a broader concept used in other privacy frameworks that refers to any information that can identify an person, no matter what of whether it relates to health. All PHI contains PII elements, but not all PII is PHI. For more on HIPAA’s scope, see our What is HIPAA article.
Can PHI be shared for marketing purposes?
PHI may be used for marketing only with the person’s written access rights, with limited exceptions. Covered groups may use PHI without access rights for face-to-face marketing communications and for promotional gifts of nominal value. Any marketing communication that involves remuneration from a third party to the covered group requires access rights. The Privacy Rule contains detailed rules for marketing-related uses of PHI.
PHI Guide Takeaways
health data is the foundation of every HIPAA rule. groups that clearly understand what PHI is, where it exists in their operations, and how to handle it properly build rule-keeping programs on solid ground. Those that rely on vague assumptions about PHI inevitably create gaps that lead to breaches, enforcement actions, and erosion of patient trust.
From the 18 identifiers that define identifiability to the practical differences between ePHI and paper records, from de-finding methods to the minimum needed standard, every concept in this guide translates directly into rule-keeping decisions your group makes every day. Make those decisions informed ones.
One Guy Consulting provides the tools, templates, and expert guidance groups need to protect PHI well. Our policy library includes ready-to-implement PHI handling steps, and our HIPAA rule-keeping guide places PHI protection in the context of a complete rule-keeping program. Contact us to ensure your group understands and protects the information that matters most — your patients’ health data.