Protected health information (PHI) is any health-related data that can be tied back to a specific person and is held by a healthcare provider, health plan, or healthcare clearinghouse. A classic example: a hospital medical record that contains your name, date of birth, diagnosis, and treatment notes. That entire record is PHI because it combines health details with information that identifies you. But PHI goes well beyond medical charts. Understanding what counts (and what doesn’t) matters for anyone working in healthcare, handling patient data, or simply trying to understand their privacy rights.
The Two Requirements for PHI
For any piece of data to qualify as PHI, it has to meet two conditions simultaneously. First, it must be individually identifiable, meaning it can be linked to a specific person. Second, it must be created or maintained by a HIPAA-covered organization, such as a doctor’s office, hospital, insurance company, or claims clearinghouse. Remove either condition and the data falls outside HIPAA’s definition of PHI.
This is why the same piece of health information can be PHI in one context and not in another. Your blood pressure reading in your doctor’s electronic health record is PHI. That same blood pressure reading logged in a consumer fitness app made by a tech company that isn’t a healthcare provider is not PHI under HIPAA, even though the number is identical.
Common Examples of PHI
PHI shows up in places most people expect and in plenty of places they don’t. Here are concrete examples of data that qualifies as protected health information when held by a covered entity:
- Medical records and charts: Diagnoses, lab results, imaging reports, prescription histories, and clinical notes that include your name or medical record number.
- Billing and insurance documents: Explanation of benefits statements, claims submissions, and invoices that link a patient’s name or account number to a specific service or procedure.
- Appointment records: A scheduling system that shows a patient’s name, date, and the department they’re visiting (such as oncology or psychiatry) contains PHI because it ties an individual to a health-related service.
- Prescription labels: A pharmacy label with a patient’s name, medication, dosage, and prescriber information is PHI.
- Health plan enrollment data: Your insurance ID number, coverage details, and any linked demographic information held by your insurer.
- Verbal information: Even spoken details count. A nurse discussing a patient’s condition by name in a hallway is disclosing PHI.
The 18 Identifiers That Make Health Data “Identifiable”
HIPAA’s Privacy Rule specifies 18 categories of identifiers. When any of these are attached to health information held by a covered entity, the combination is PHI. Some are obvious, others are surprisingly broad:
- Names
- Geographic data smaller than a state: Street addresses, cities, counties, and most ZIP codes
- Dates tied to an individual: Birth dates, admission dates, discharge dates, and dates of death (year alone is allowed, except for people over 89)
- Phone and fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and license plate numbers
- Device identifiers and serial numbers
- Web URLs and IP addresses
- Biometric data: Fingerprints, voiceprints
- Full-face photos or comparable images
- Any other unique identifying number or code
This list catches people off guard. An IP address logged when someone visits a hospital’s patient portal is PHI if that visit connects the person to a health condition or service. The same goes for a device ID collected through a healthcare provider’s mobile app.
Digital Data That Qualifies as PHI
Online tracking has expanded what counts as PHI in ways that weren’t obvious a decade ago. HHS has clarified that when a healthcare provider or health plan uses a mobile app or website that collects user data, the information gathered through that platform is generally PHI. This includes data most people think of as routine tech tracking: IP addresses, device IDs, geolocation, and advertising identifiers.
Consider a practical scenario. A patient uses a diabetes management app offered by their health clinic to log glucose levels and insulin doses. The app transmits data to a third-party analytics vendor. That transmission is a disclosure of PHI because the app usage is tied to a health condition (diabetes) and paired with identifying information like the patient’s name, phone number, or device ID.
This is a sharp contrast to consumer health apps. If you download a calorie-tracking app made by a company that isn’t a healthcare provider and enter your weight and blood pressure, that data is not PHI under HIPAA, even if you originally got those numbers from your medical record. Other laws like the FTC Act may still protect that information, but HIPAA does not apply.
What Doesn’t Count as PHI
Several categories of health-related information fall outside HIPAA’s reach entirely:
De-identified data. Health information stripped of all 18 identifiers is no longer PHI. A dataset showing that 4,000 patients at a hospital system were diagnosed with Type 2 diabetes in 2023, with no names, dates of birth, or other identifiers attached, can be shared freely. HIPAA allows de-identification through two paths: having a qualified statistician certify that re-identification risk is very small, or removing all 18 identifier categories and confirming there’s no other way to link the data back to individuals.
Employment records. If a hospital maintains health-related records about its own employees in its role as an employer (think pre-employment physicals or workers’ compensation files), those records are excluded from PHI. The hospital is acting as an employer in that context, not as a healthcare provider.
Student health records covered by FERPA. When a college psychologist maintains therapy notes solely for providing treatment to a student, and those notes aren’t shared beyond the treatment team, they fall under the Family Educational Rights and Privacy Act rather than HIPAA. The same applies to health records maintained by a K-12 school nurse as part of a student’s education record.
Data held by non-covered entities. Your gym’s record of your body measurements, a life insurance company’s health questionnaire responses, and the health articles you read online are not PHI because the organizations collecting them are not HIPAA-covered entities.
Why the Distinction Matters
PHI carries strict legal protections. Covered entities that mishandle PHI face civil penalties, and in severe cases, criminal prosecution. For individuals, understanding what qualifies as PHI helps you recognize when your privacy rights apply. If a healthcare provider shares your diagnosis and name with a third party without authorization, that’s a potential HIPAA violation. If a fitness app sells your step count data, HIPAA has nothing to say about it.
The practical takeaway is that context determines everything. The same data point, a blood glucose reading, a birth date, an IP address, can be PHI or not depending on who holds it and whether it’s linked to an identifiable person. When both conditions are met, HIPAA’s full privacy and security requirements kick in.