A Complete Guide to Understanding PHI

\n

health data is the core concept at\nthe heart of HIPAA. Every rule, safeguard.

Rule-keeping rule\nexists to protect PHI from unapproved access, use, and sharing. Yet\nmany healthcare groups and their business partners struggle to\nconsistently identify what qualifies as PHI, where it resides in their\noperations, and how to handle it properly. Misunderstanding PHI leads to\naccidental exposures, rule-keeping gaps, and costly enforcement\nactions.

\n

This guide explains what PHI is, lists the 18 identifiers that make\nhealth information identifiable, distinguishes between ePHI and paper\nPHI, covers de-finding methods.

Provides real-world examples\nthat make these concepts concrete. Whether you are new to HIPAA or need\na clear reference for your rule-keeping team, this article delivers the\npractical knowledge you need.

\n

What Is Protected Health\nInformation?

\n

The Three-Part Definition

\n

Under HIPAA, health data is any information that\nmeets all three of these criteria:

\n

\n
1. It relates to health — The information concerns an\nperson’s past, present, or future physical or mental health\ncondition, the term of healthcare to the person, or the past,\npresent, or future payment for healthcare
\n
2. It identifies the person — The information\nidentifies the person or provides a fair basis to believe the\nperson can be identified
\n
3. It is held or transmitted by a covered group or business\nassociate — The information is created, received, kept,\nor transmitted by an group subject to HIPAA
\n

\n

All three criteria must be present. Health information that cannot be\nlinked to an person is not PHI. Information that identifies a person\nbut has nothing to do with health is not PHI. And personally\nidentifiable health information held by an group not covered by HIPAA\n(such as a fitness app company that is not a covered group or business\nassociate) does not fall under HIPAA’s PHI definition, though other\nprivacy laws may apply.

\n

What PHI Includes

\n

PHI encompasses a broad range of data that many groups\nunderestimate:

\n

\n
• Medical records — Diagnoses, treatment plans, test\nresults, clinical notes, imaging reports
\n
• Billing and payment information — Claims data,\nexplanation of benefits, payment histories, account balances
\n
• Insurance information — Health plan enrollment\nrecords, eligibility decisions, beneficiary identifiers
\n
• Communication records — Appointment reminders,\nprescription notices, referral letters, patient\ncorrespondence
\n
• Demographic data linked to health — Name, address,\ndate of birth, and Social Security number when linked with\nhealthcare services
\n
• Photographs and recordings — Images, video, or\naudio that identifies a patient in a healthcare context
\n

\n

The scope of PHI extends to any medium: digital, paper.

Oral.\nA conversation between two nurses about a patient’s diagnosis in a\nhospital hallway involves PHI just as much as an digital health\nrecord entry.

\n

The 18 HIPAA Identifiers

\n

Complete List

\n

The HIPAA Privacy\nRule specifies 18 types of identifiers that, when linked with\nhealth information, make that information identifiable — and therefore\nprotected. These 18 identifiers are central to the Safe Harbor\nde-finding method:

\n

\n
1. Names — Full name, last name, first name, or\ninitials
\n
2. Geographic data — Street address, city, county,\nprecinct, ZIP code (ZIP codes with fewer than 20,000 people), and\nequivalent geocodes
\n
3. Dates — All dates directly related to an person\n(birth date, admission date, discharge date, death date), and all ages\nover 89
\n
4. Phone numbers — All telephone numbers
\n
5. Fax numbers — All fax numbers
\n
6. Email addresses — All email addresses
\n
7. Social Security numbers — Full or partial SSN
\n
8. Medical record numbers — Identifiers assigned by\nhealthcare providers
\n
9. Health plan beneficiary numbers — Insurance ID\nnumbers
\n
10. Account numbers — Financial account numbers\nlinked with healthcare
\n
11. Certificate/license numbers — Professional or other\ncertificate and license numbers
\n
12. Vehicle identifiers — Vehicle finding\nnumbers, license plate numbers
\n
13. Device identifiers — Serial numbers of medical\ndevices or other devices linked to the person
\n
14. Web URLs — Personal web addresses
\n
15. IP addresses — Internet step addresses
\n
16. Biometric identifiers — Fingerprints, voiceprints,\nretinal scans
\n
17. Full-face photographs — Full-face photographic\nimages and comparable images
\n
18. Any other unique identifying number, characteristic, or\ncode — Catch-all for identifiers not listed above
\n

\n

Why These 18 Matter

\n

These identifiers are the building blocks of person identity.\nEven one identifier, when combined with health information, creates PHI.\ngroups must understand that the presence of any single\nidentifier with health data triggers HIPAA\nprotections. A spreadsheet containing diagnosis codes is not PHI — but\nadding a column with patient names, medical record numbers, or dates of\nbirth right away transforms it into PHI subject to full HIPAA\nrule-keeping rules.

\n

ePHI vs. Paper PHI

\n

digital\nhealth data (ePHI)

\n

ePHI is PHI that is created, received, kept, or transmitted in\ndigital form. The HIPAA Security Rule\napplies namely to ePHI and requires admin, physical, and\ntech protections for its protection.

\n

ePHI exists in many forms beyond traditional databases:

\n

\n
• EHR systems — The most obvious storage of\nePHI
\n
• Email — Messages containing patient\ninformation
\n
• Text messages — SMS and messaging app\ncommunications about patients
\n
• Cloud storage — Files stored in cloud\nplatforms
\n
• Portable media — USB drives, external hard drives,\nCDs, DVDs
\n
• Mobile devices — Smartphones, tablets, and laptops\ncontaining patient data
\n
• Medical devices — Equipment that stores or\ntransmits patient data
\n
• Backup tapes and disks — Copies of systems\ncontaining ePHI
\n
• Fax server logs — digital records of faxed\nPHI
\n
• Voicemail systems — Digital recordings containing\npatient information
\n

\n

Paper PHI

\n

Paper PHI includes printed medical records, handwritten notes,\nprescription pads, printed lab results, faxes, insurance forms.

Any\nother physical record containing identifiable health information.\nWhile the Security Rule does not apply to paper records, the Privacy\nRule does. groups must implement physical protections for paper\nPHI:

\n

\n
• Secure storage — Locked file cabinets and\nrestricted access areas for records
\n
• Controlled access — Limiting who can access paper\nrecords based on job function
\n
• Proper disposal — Shredding or other destruction\nmethods that render records unreadable
\n
• Transport security — Protecting paper PHI during\ntransport between locations
\n

\n

Oral PHI

\n

PHI communicated verbally is also protected under the Privacy Rule.\nWhile HIPAA does not require soundproofing every room, groups\nmust take fair protections to limit incidental\nshares during oral communications. Practical measures include\nrunning sensitive conversations in private areas, avoiding patient\ndiscussions in public spaces.

Using sign-in sheets that do not\nexpose the reason for a patient’s visit.

\n

De-finding Methods

\n

For the complete technical requirements, see our HIPAA de-identification requirements guide.

\n

Safe Harbor Method

\n

The Safe Harbor method provides a straightforward path to\nde-finding. Remove all 18 identifiers listed above.

The\ngroup must have no actual knowledge that the remaining\ninformation could identify an person. Once properly de-identified\nunder Safe Harbor, the data is no longer PHI and is not subject to HIPAA\nrules.

\n

groups frequently use Safe Harbor de-finding for:

\n

\n
• Research datasets — Providing health data for\nstudies without exposing patient identity
\n
• Analytics and reporting — Generating day-to-day\ninsights from patient data
\n
• Training and testing — Using realistic data for\nsystem testing and team training
\n
• Public reporting — Sharing aggregate health\nstatistics
\n

\n

The challenge with Safe Harbor is that removing all 18 identifiers\ncan greatly reduce the utility of the data. Dates, geographic\ndata.

Age information are often key for research and analytics.\ngroups must balance data utility with privacy protection.

\n

Expert decision Method

\n

The Expert decision method offers more flexibility. A qualified\nstatistical expert applies statistical and scientific principles to\ndetermine that the risk of identifying any person from the dataset\nis “very small.” The expert must record the methods and results of the\nanalysis.

\n

This method allows retention of certain identifiers (such as partial\ndates or broader geographic regions) when the expert concludes that the\ncombination of remaining data elements does not create a meaningful\nre-finding risk. Expert decision is more complex and costly\nthan Safe Harbor but produces de-identified datasets that retain greater\nanalytical value.

\n

Limited Data Sets

\n

A limited data set falls between full PHI and fully\nde-identified data. A limited data set removes direct identifiers\n(names, addresses, Social Security numbers, etc.) but may retain certain\nindirect identifiers such as dates, city, state.

ZIP code. Limited\ndata sets may be used for research, public health actions, and\nhealthcare operations — but only under a data use\nagreement that restricts how the recipient may use and disclose\nthe information.

\n

Limited data sets are still subject to some HIPAA protections, unlike\nfully de-identified data. groups considering this approach should\nunderstand the specific data use agreement rules and allowed\nuses.

\n

The Minimum Necessary\nStandard

\n

How It Applies to PHI

\n

The minimum needed standard requires covered groups to limit PHI\naccess, use.

Sharing to the minimum amount\nneeded to accomplish the intended purpose. This principle\nshapes how groups design access controls, respond to information\nrequests, and structure their data sharing habits.

\n

Applying minimum needed requires groups to:

\n

\n
• Define role-based access — Determine what PHI\ncategories each team role needs and restrict access\nas needed
\n
• Limit routine shares — Create standard\nsteps for common sharing scenarios that specify the minimum PHI\nto release
\n
• Evaluate non-routine requests — Review person\nrequests that fall outside standard steps on a case-by-case\nbasis
\n
• Restrict internal access — Ensure that team\nmembers can access only the PHI needed for their specific job\nfunctions
\n

\n

Exceptions to Minimum\nNecessary

\n

The minimum needed standard does not apply\nto:

\n

\n
• shares to or requests by a provider for\ntreatment
\n
• shares to the person who is the subject of\nthe PHI
\n
• Uses or shares made pursuant to a valid\naccess rights
\n
• shares to HHS for rule-keeping enforcement
\n
• Uses or shares required by law
\n

\n

Treatment is the most major exception. Healthcare providers\nneed complete patient information to deliver safe, effective care,\nand the Privacy Rule recognizes that limiting treatment access could\ncompromise patient outcomes.

\n

Real-World PHI Examples

\n

What IS PHI

\n

Understanding PHI becomes clearer with concrete examples:

\n

\n
• A patient’s name on a lab result — Name\n(identifier) + health information = PHI
\n
• An insurance claim with a diagnosis code and member\nID — Health plan beneficiary number + health information =\nPHI
\n
• An email from a doctor to a specialist containing a\npatient’s medical history and date of birth — Name, date of\nbirth + health information = PHI
\n
• A photograph of a patient’s wound with their face\nvisible — Full-face photograph + health information = PHI
\n
• A billing statement sent to a patient’s home\naddress — Name, address + payment information for healthcare =\nPHI
\n
• A voicemail from a pharmacy confirming a prescription with\nthe patient’s name — Name + prescription information = PHI
\n

\n

What Is NOT PHI

\n

Equally important is understanding what does not qualify as PHI:

\n

\n
• Aggregate hospital statistics — “500 patients\ntreated for influenza in January” without person identifiers is not\nPHI
\n
• De-identified data — Health information with all 18\nidentifiers properly removed is no longer PHI
\n
• Employment records — Health information in\nemployment records held by a covered group in its capacity as an\nemployer is not PHI (though other laws may apply)
\n
• Education records — Health information in education\nrecords covered by FERPA is excluded from HIPAA
\n
• Health data from non-covered groups — Information\nfrom fitness trackers, health apps, or other sources not connected to a\ncovered group or business associate is usually not HIPAA-regulated\nPHI
\n

\n

Common PHI Mistakes

\n

groups frequently stumble in these areas:

\n

\n
• Scheduling boards — Whiteboards in common areas\nshowing patient names and steps
\n
• Unencrypted email — Sending PHI via standard email\nwithout data scrambling
\n
• Social media — Staff posting about patient cases,\neven without names, when details could identify the person
\n
• Disposal failures — Throwing paper records in\nregular trash or donating computers without wiping drives
\n
• Verbal shares — Discussing patient cases in\nelevators, cafeterias, or other public areas where they can be\noverheard
\n

\n

Each of these scenarios represents a possible HIPAA breach.\ngroups should address them through clear policies, regular\ntraining.

Tracking. A complete HIPAA risk review\nwill identify these weak spots in your specific setting.

\n

PHI FAQ

\n

Is a patient’s name\nalone considered PHI?

\n

A patient’s name by itself is not on its own PHI. It becomes PHI\nwhen it is linked with health information — such as a diagnosis,\ntreatment record, or payment for healthcare services — and is held by a\ncovered group or business associate. A name on a general mailing list,\nfor example, is not PHI unless it is linked to health-related data.

\n

Does\nPHI include information about deceased people?

\n

Yes. PHI protections apply to deceased people for 50\nyears following the date of death. Covered groups must\nprotect the health information of deceased patients with the same\nprotections applied to living patients during this period.

\nIs\na medical record number considered PHI even without other\ninformation?\n

A medical record number is one of the 18 HIPAA identifiers. When it\nappears in a healthcare context — which it inherently does, since it is\nassigned by a healthcare provider — it can be used to identify an\nperson and link them to health information. Medical record numbers\nshould always be treated as PHI.

\n

What is the\ndifference between PHI and PII?

\n

PHI (health data) is health-related\ninformation that identifies an person and is held by a HIPAA-covered\ngroup or business associate. PII (Personally\nIdentifiable Information) is a broader concept used in other privacy\nframeworks that refers to any information that can identify an\nperson, no matter what of whether it relates to health. All PHI contains\nPII elements. However, not all PII is PHI. For more on HIPAA’s scope, see our\nWhat is HIPAA article.

\n

Can PHI be shared for\nmarketing purposes?

\n

PHI may be used for marketing only with the person’s written\naccess rights, with limited exceptions. Covered\ngroups may use PHI without access rights for face-to-face marketing\ncommunications and for promotional gifts of nominal value. Any marketing\ncommunication that involves remuneration from a third party to the\ncovered group requires access rights. The Privacy Rule contains\ndetailed rules for marketing-related uses of PHI.

\n

PHI Guide Takeaways

\n

health data is the foundation of every HIPAA\nrule. groups that clearly understand what PHI is, where it\nexists in their operations.

How to handle it properly build\nrule-keeping programs on solid ground. Those that rely on vague\nassumptions about PHI inevitably create gaps that lead to breaches,\nenforcement actions, and erosion of patient trust.

\n

From the 18 identifiers that define identifiability to the practical\ndifferences between ePHI and paper records, from de-finding\nmethods to the minimum needed standard, every concept in this guide\ntranslates directly into rule-keeping decisions your group makes\nevery day. Make those decisions informed ones.

\n

One Guy Consulting provides the tools, templates,\nand expert guidance groups need to protect PHI well. Our\npolicy library includes ready-to-implement PHI handling steps, and\nour HIPAA rule-keeping\nguide places PHI protection in the context of a complete rule-keeping\nprogram. Contact us to ensure your group understands and protects\nthe information that matters most — your patients’ health data.

\n