Protected health information (PHI) is any individually identifiable health information that relates to a person’s past, present, or future physical or mental health, the care they receive, or the payment for that care. For data to qualify as PHI, it must meet two conditions simultaneously: it contains health-related information, and it includes one or more of 18 specific identifiers that could link that information to a particular person.
The Two-Part Test for PHI
A diagnosis on its own isn’t PHI. A name on its own isn’t PHI either. The data becomes protected health information only when a health-related detail is paired with identifying information. A lab result showing high cholesterol is just clinical data until it’s attached to a name, a date of birth, or a medical record number. At that point, it falls under HIPAA’s Privacy Rule, which establishes national standards for how that information must be handled.
The health component is broad. It covers any information about a person’s physical or mental condition, the healthcare services they’ve received or will receive, and any billing or payment details tied to that care. This means your insurance claims, prescription records, therapy notes, hospital discharge paperwork, and even a phone call to schedule a procedure can all generate PHI.
The 18 HIPAA Identifiers
HIPAA defines exactly 18 categories of data that count as identifiers. If any one of these is connected to health information, the combined data is PHI:
- Names
- Geographic data smaller than a state, including street address, city, county, and ZIP code
- Dates related to an individual (except year alone), including birth date, admission date, discharge date, and date of death, plus all ages over 89
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and serial numbers, including license plates
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers, such as fingerprints and voiceprints
- Full-face photographs and comparable images
- Any other unique identifying number, characteristic, or code
That last category is a catch-all. It exists so that new forms of identification, ones that didn’t exist when the rule was written, still fall under protection. If a data point can reasonably be used to identify someone and it’s linked to health information, it’s PHI.
Who Is Required to Protect PHI
HIPAA’s Privacy Rule applies to three types of organizations, known as covered entities: health plans (insurers, HMOs, government programs like Medicare), healthcare clearinghouses (companies that process claims data), and healthcare providers who transmit information electronically. Beyond these, any company or contractor that handles PHI on behalf of a covered entity, called a business associate, is also bound by the same rules. This includes billing companies, cloud storage providers hosting medical records, IT firms maintaining hospital systems, and shredding companies that destroy paper records.
PHI vs. Personally Identifiable Information
People often confuse PHI with PII (personally identifiable information), but they’re governed by different rules. PII is a broader category that includes any data that can identify a person, such as your name, address, or driver’s license number, regardless of whether it has any connection to health. PHI is specifically the subset of identifiable information tied to health, healthcare, or payment for healthcare. Your name and home address on a mailing list is PII. Your name and home address on a billing statement from a hospital is PHI. The distinction matters because PHI triggers HIPAA protections, while PII is covered by a patchwork of other federal and state laws.
Health Apps and Wearable Devices
Data from fitness trackers, health apps, and consumer wellness devices generally does not count as PHI, even though it might include heart rate readings, sleep patterns, or blood glucose levels. The reason is straightforward: HIPAA only applies to covered entities and their business associates. If you download a meditation app or use a smartwatch to track your runs, the company behind that product typically isn’t a healthcare provider, insurer, or clearinghouse. The health data you voluntarily enter into apps that aren’t developed or offered by a covered entity falls outside HIPAA’s reach entirely, regardless of how sensitive it is.
This gap surprises many people. Your cardiologist’s records about your heart rhythm are tightly protected. The nearly identical heart rhythm data collected by your smartwatch may have no federal privacy protection at all.
When PHI Can Be Shared Without Your Consent
HIPAA doesn’t create an absolute seal around your health information. Covered entities can disclose PHI without your authorization in several specific situations. Public health authorities can receive it for disease prevention, injury tracking, or controlling outbreaks. Government agencies authorized to investigate child abuse and neglect can access it. Law enforcement officials can request it under limited circumstances, such as locating a suspect, fugitive, or missing person, or when responding to a court order. Disclosures required by other laws, including state statutes and regulations, are also permitted.
Outside these exceptions, a covered entity generally needs your written authorization before sharing your PHI. You also have the right to request a copy of your records and to ask for corrections.
How Data Stops Being PHI
Health information can be stripped of its protected status through a process called de-identification. HIPAA recognizes two methods. The first, known as Safe Harbor, requires the removal of all 18 identifiers listed above, not just from the individual’s own data but also from information about their relatives, employers, and household members. Once those identifiers are gone and the organization has no actual knowledge that the remaining data could identify someone, the information is no longer PHI.
The second method, Expert Determination, involves hiring a qualified statistician or data scientist who applies accepted scientific methods to assess the risk of re-identification. If that expert determines the risk is “very small” that someone could use the data, alone or combined with other available information, to identify a person, and documents that analysis, the data qualifies as de-identified. Researchers, public health agencies, and technology companies routinely use these methods to work with large health datasets without triggering HIPAA obligations.
Penalties for Mishandling PHI
HIPAA violations carry civil penalties organized into four tiers based on the level of negligence. An unknowing violation can cost between $100 and $50,000 per incident. Violations due to reasonable cause range from $1,000 to $50,000 each. Willful neglect that gets corrected in time brings fines of $10,000 to $50,000 per violation, with an annual cap of $250,000 for repeat offenses. The most severe tier, willful neglect with no correction, carries a flat $50,000 per violation and an annual maximum of $1.5 million. Criminal penalties, including jail time, can also apply in cases involving intentional misuse or theft of health information.