Personal health information, formally called protected health information (PHI) under U.S. law, is any individually identifiable health data that is created, received, or maintained by a healthcare provider, health plan, or healthcare clearinghouse. For information to qualify as PHI, it must meet two criteria: it relates to a person’s health, healthcare services, or payment for care, and it contains details that could identify that specific person. Understanding what falls under this definition matters because it determines what’s legally protected and what isn’t.
The Two-Part Test for PHI
Not all health-related data is PHI. The distinction comes down to context. A piece of information becomes PHI when it is both tied to a healthcare event (a doctor’s visit, a hospital stay, an insurance claim) and linked to an identifiable individual. Your blood pressure reading in your medical record is PHI. That same blood pressure reading logged anonymously in a research database is not.
This means health data you enter into a personal journal, share casually in conversation, or even type into a consumer app may not be PHI at all, because it wasn’t generated as part of a healthcare service. The legal protections kick in only when a “covered entity,” meaning a healthcare provider, health plan, or healthcare clearinghouse, is involved in creating or handling the data.
The 18 Identifiers That Make Health Data PHI
HIPAA specifies 18 types of identifiers. If health information includes any one of these and is held by a covered entity, it counts as PHI:
- Names
- Geographic data smaller than a state (street address, city, county, ZIP code)
- Dates directly related to a person (birth date, admission date, discharge date, death date), plus all ages over 89
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers (including license plate numbers)
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric data (fingerprints, voiceprints)
- Full-face photographs or comparable images
- Any other unique identifying number or code
These identifiers apply not just to the patient but also to the patient’s relatives, employers, and household members. A note in your medical file mentioning your spouse’s name, for example, brings that name under PHI protections too.
PHI vs. Personally Identifiable Information
People often confuse PHI with personally identifiable information (PII), but they’re legally distinct. PII is a broader category covering any data that can identify someone: your name, your driver’s license number, your address. PHI is narrower. It only applies when identifiable information is connected to a healthcare service event, entered into a medical record, or used to make treatment or payment decisions.
A research study that collects your name and asks you to self-report your exercise habits is handling PII, not PHI, because the data wasn’t generated through healthcare delivery. That same exercise data pulled from your hospital’s cardiac rehabilitation records would be PHI. The information can be identical; what changes is where it came from and who holds it.
What PHI Includes in Practice
PHI covers a wide range of records most people interact with regularly. Medical charts, lab results, imaging reports, prescription histories, billing statements, insurance claims, and appointment records all qualify. So do less obvious forms: notes from a phone call with a nurse, emails between you and your doctor’s office, and the digital records generated when you use a patient portal.
Genetic information is explicitly classified as health information under a 2013 rule that amended HIPAA. This includes your genetic test results, your family medical history, and information about genetic tests taken by family members. Health insurers cannot use genetic information to make decisions about your eligibility, benefits, or premiums.
Psychotherapy notes receive even stronger protection than standard PHI. These are the personal notes a mental health professional writes during or after a private counseling session, kept separate from the rest of your medical record. With very few exceptions, a provider must get your written authorization before sharing psychotherapy notes with anyone, including other healthcare providers. Notably, basic session information like appointment times, prescribed medications, diagnosis summaries, and treatment plans does not count as psychotherapy notes and follows the standard PHI rules.
What Isn’t Considered PHI
Several categories of health-related data fall outside HIPAA’s protections. Employment records that a covered entity maintains in its role as an employer are excluded, even if they contain health details like the results of a pre-employment physical. Education records covered by the Family Educational Rights and Privacy Act (FERPA) are also excluded, which is why a school nurse’s records typically fall under FERPA rather than HIPAA.
Health data collected by organizations that aren’t covered entities or their business associates sits entirely outside HIPAA. This is a significant gap in the digital age. The data your fitness tracker collects about your heart rate, sleep patterns, and activity levels is generally not PHI, even though it’s deeply personal health information in the everyday sense. The same goes for most consumer health apps, period trackers, and wellness platforms that aren’t operated by or on behalf of a healthcare provider or insurer. According to the FTC, most of these apps fall under the agency’s own rules rather than HIPAA, but those protections are narrower.
Who Is Required to Protect PHI
HIPAA’s privacy and security rules apply to three types of covered entities: healthcare providers (doctors, hospitals, clinics, pharmacies, labs), health plans (insurance companies, HMOs, employer-sponsored plans, government programs like Medicare and Medicaid), and healthcare clearinghouses (organizations that process nonstandard health data into standard formats). If an entity doesn’t fit one of those categories, HIPAA simply doesn’t apply to it.
Business associates, meaning companies that perform services for covered entities and handle PHI in the process (billing companies, cloud storage providers, IT contractors), are also bound by HIPAA. Covered entities must have a written agreement with each business associate spelling out their obligations. Business associates are directly liable for certain HIPAA violations, not just contractually responsible.
Penalties for Mishandling PHI
HIPAA enforces PHI protections through a four-tier penalty structure based on the level of negligence involved. As of August 2024, the penalties per violation are:
- Tier 1, lack of knowledge: $141 to $71,162 per violation
- Tier 2, reasonable cause (not willful neglect): $1,424 to $71,162 per violation
- Tier 3, willful neglect corrected within 30 days: $14,232 to $71,162 per violation
- Tier 4, willful neglect not corrected within 30 days: $71,162 to $2,134,831 per violation
Each tier carries an annual cap of roughly $2.13 million for repeated violations of the same provision. Criminal penalties, including potential prison time, can apply in cases of knowing misuse or theft of PHI. These penalties target the organizations and individuals handling your data, not you as the patient.
Your Rights Over Your PHI
HIPAA gives you the right to access almost all of your PHI, request corrections, and get an accounting of who your information has been disclosed to and why. You can also request restrictions on how your PHI is used or shared, though covered entities aren’t always required to agree. The one notable exception to your access rights is psychotherapy notes, which a provider can decline to share with you.
You also have the right to receive a notice of privacy practices from every covered entity you interact with, explaining how they use and protect your information. If you believe your PHI has been mishandled, you can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights, which investigates and enforces HIPAA violations.