Protected health information, or PHI, is any health-related data that can be linked to a specific person. Under HIPAA, there are 18 categories of identifiers that turn ordinary health data into PHI when they appear alongside medical information. Understanding what counts as PHI matters whether you work in healthcare, handle patient records, or simply want to know what privacy protections apply to your own data.
What Makes Something PHI
PHI has two ingredients. First, there must be health information: a diagnosis, a lab result, a prescription, a record of a doctor’s visit, or details about how someone paid for care. Second, that health information must be tied to something that identifies the person it belongs to. A blood pressure reading on its own is just a number. A blood pressure reading attached to a patient’s name, date of birth, or medical record number is PHI.
This applies regardless of format. A paper chart in a filing cabinet, a verbal conversation between nurses, and an electronic health record stored on a server are all PHI if they contain identifiable health data. The electronic version is often called ePHI, but the same rules apply.
The 18 HIPAA Identifiers
The HIPAA Privacy Rule lists 18 types of identifiers. When any of these appear in connection with health information, the data qualifies as PHI. The full list, drawn from the HHS “Safe Harbor” de-identification standard:
- Names, including first, last, and maiden names
- Geographic data smaller than a state, such as street address, city, county, or ZIP code (the first three digits of a ZIP code can be kept only if that three-digit zone contains more than 20,000 people)
- Dates related to an individual, including birth date, admission date, discharge date, and date of death (year alone can remain, but all ages over 89 must be grouped into a “90 or older” category)
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers, such as the serial number on an implanted pacemaker or insulin pump
- Web URLs
- IP addresses
- Biometric identifiers, including fingerprints and voiceprints
- Full-face photographs and any comparable images
- Any other unique identifying number, characteristic, or code
That last category is a catch-all. If a piece of data could realistically identify someone, even if it doesn’t fit neatly into the other 17 categories, it still counts.
Everyday Examples of PHI
Seeing identifiers in a list is one thing. Recognizing PHI in real life is another. Here are common situations where PHI shows up:
A hospital billing statement that lists your name, address, date of service, and the procedures you received is PHI. So is an explanation of benefits from your health insurance company, because it ties your identity to the care you received and what was paid. An appointment reminder sent to your email that mentions a specific clinic or doctor’s office contains both your email address and information about your healthcare.
Inside a medical facility, PHI appears in places people often overlook. Sign-in sheets at a doctor’s office, prescription bottle labels, wristbands worn by hospital patients, and even the information displayed on a computer screen at a nurse’s station all contain PHI. Physical medical records, including progress notes, lab reports, imaging results, medication records, discharge instructions, and consent forms, are PHI when they sit in a patient’s chart.
Digital PHI is just as common. Patient portals, electronic prescriptions, text messages between a provider and patient about symptoms, and even a photo taken of a patient’s wound for documentation purposes all qualify. An IP address logged when someone accesses their health records online is PHI under HIPAA’s definition.
PHI in Insurance and Payment Records
PHI is not limited to clinical notes and lab results. Any record that connects a person’s identity to their healthcare payment history counts. Health plan beneficiary numbers, claims data showing which services were billed and when, and group plan enrollment information all fall under HIPAA’s protection. If your insurance company has a record showing you visited a specialist on a certain date and the visit cost a certain amount, that entire record is PHI.
What Does Not Count as PHI
Not all health-related data is PHI. The distinction usually comes down to who holds the data and whether it can identify a person.
Data from consumer fitness trackers and health apps generally falls outside HIPAA’s scope. Companies like Fitbit or Apple collect detailed health metrics, including heart rate, sleep patterns, and step counts, but they are not “covered entities” under HIPAA. Covered entities are health plans, healthcare clearinghouses, and healthcare providers that transmit information electronically for billing or other standard transactions. Your smartwatch manufacturer is none of those things. The same heart rate data that would be PHI in a hospital’s electronic health record is not PHI when it lives on your phone.
Student health records maintained by a school are typically covered by FERPA (the Family Educational Rights and Privacy Act) instead of HIPAA. Immunization records kept by an elementary school nurse, for example, are considered education records and are explicitly excluded from HIPAA’s definition of PHI. Employment records are also excluded. If your employer keeps a file noting that you took medical leave, that record is governed by employment law, not HIPAA, as long as it relates to you solely in your role as an employee.
De-identified data is another important exception. If all 18 identifiers are stripped from a dataset and the organization holding it has no reason to believe the remaining information could identify anyone, the data is no longer PHI. Researchers and public health agencies routinely work with de-identified data for this reason.
Why the “Linked To” Part Matters
A common misunderstanding is that medical information is always PHI. It is not. A dataset showing that 40% of patients in a study had high blood pressure contains health information but no identifiers, so it is not PHI. A spreadsheet listing patients by medical record number alongside their blood pressure readings is PHI, because the medical record number links the health data to specific people.
This linking also extends to relatives, employers, and household members. If a medical record notes that a patient’s spouse has a history of a certain condition, that information about the spouse is also PHI because it was collected in the context of the patient’s care and could identify the spouse.
PHI Applies to All Formats
People sometimes assume PHI is only digital. HIPAA covers health information in every form: electronic records stored on servers, paper documents in filing cabinets, and even spoken conversations. A doctor discussing a patient’s diagnosis by name in an elevator is disclosing PHI verbally. A faxed referral letter containing a patient’s Social Security number and treatment history is PHI on paper. The protections are the same regardless of how the information is stored or communicated.