Patient health information is any data about a person’s health, medical care, or payment for that care that can be linked back to them as an individual. Under U.S. law, this information receives federal protection through HIPAA (the Health Insurance Portability and Accountability Act), which sets strict rules about how it’s collected, stored, shared, and secured. The legal term is “protected health information,” or PHI, and it covers far more than most people realize.
What Counts as Protected Health Information
PHI isn’t limited to your medical chart. It includes any information that relates to your past, present, or future physical or mental health, any healthcare you’ve received, or any payment for that care. The critical qualifier: the information must either identify you directly or could reasonably be used to identify you. A blood pressure reading on its own isn’t PHI. Attach a name, birth date, or medical record number to it, and it becomes protected.
This definition is intentionally broad. It covers paper files, electronic records, and even spoken conversations between healthcare providers. A voicemail from your doctor’s office reminding you of an appointment contains PHI. So does a faxed lab report, a billing statement, or an email from your therapist. The format doesn’t matter. What matters is whether the information connects health data to a specific person.
The 18 Identifiers That Trigger Protection
HIPAA specifies 18 types of identifiers that, when attached to health data, make it protected. These go well beyond names and addresses:
- Names
- Geographic data smaller than a state (street address, city, county, ZIP code)
- Dates tied to an individual (birth date, admission date, discharge date, date of death), plus all ages over 89
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers including license plates
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photos or comparable images
- Any other unique identifying number or code
Some of these surprise people. Your IP address paired with health data is PHI. A photo of your face stored alongside a diagnosis is PHI. Even your ZIP code can qualify, though the first three digits are sometimes allowed if the area they cover has more than 20,000 residents.
What’s Actually in Your Health Record
The clinical data inside your records spans a wide range. At the core are problem lists (your active and past diagnoses), medication lists, allergy records, immunization histories, and surgical histories. Vital signs like blood pressure, heart rate, and weight are recorded at nearly every visit. Lab results, imaging reports from X-rays or MRIs, and appointment records round out the picture.
Beyond the clinical basics, your record typically includes family medical history, social history (smoking status, alcohol use, occupation), provider notes from each visit, and billing information. As wearable devices and home monitoring tools have become common, data from blood pressure cuffs, glucose monitors, and even implantable devices increasingly flows into health records as well. Growth charts, mood tracking graphs, blood sugar trends, and wound photos may all become part of your file depending on how your care team documents your treatment.
Where Your Information Lives
Patient health information is stored across several types of systems, each with a different scope. An electronic medical record (EMR) is a digital version of the chart kept by a single doctor’s office. It contains the most relevant clinical data from that provider but typically can’t be shared electronically with other physicians.
An electronic health record (EHR) is more comprehensive. It pulls together data from multiple sources: doctors, hospitals, labs, and imaging centers. EHR systems are designed to let different providers share information, so your cardiologist can see what your primary care doctor prescribed. Most EHR systems also include a patient portal where you can view results, send messages, and pay bills.
A personal health record (PHR) is something you control. It’s a private app or system where you enter and manage your own data. No one else can access it unless you choose to share it. PHRs are useful for keeping a consolidated view of your health, but they depend entirely on what you put into them.
When Your Information Can Be Shared
HIPAA doesn’t lock down your information completely. The Privacy Rule allows covered entities (healthcare providers, health plans, and clearinghouses) to use and share PHI without your explicit authorization in certain circumstances. The most common is for treatment, payment, and healthcare operations. Your doctor can send your records to a specialist for a referral. Your insurer can access diagnosis codes to process a claim. A hospital can use your data for quality improvement programs. None of these require you to sign a separate consent form.
Outside of those routine purposes, sharing PHI generally requires your written authorization. There are exceptions for public health reporting, law enforcement requests with proper legal process, and certain research contexts where the data has been stripped of identifiers. But the default is that your information stays within the circle of people and organizations involved in your care and payment.
Your Right to Access Your Own Records
You have a legal right to see and obtain copies of nearly all of your health information. When you submit a request, your provider has 30 calendar days to respond. If the records are archived or otherwise hard to retrieve, they can extend that deadline by an additional 30 days, but they must notify you in writing of the delay and give you a specific date. Only one extension is allowed per request.
You can also direct your provider to send your records to someone else, such as another doctor, a family member, or a personal health app. The same 30-day timeline applies. If your request is denied in whole or in part, the provider must explain why in writing within that same window. Denials are limited to specific circumstances, like psychotherapy notes or information compiled for legal proceedings.
How Electronic Records Are Protected
Electronic PHI (often called ePHI) carries additional security requirements under the HIPAA Security Rule, strengthened by the HITECH Act. Healthcare organizations must implement four categories of technical safeguards. Access controls ensure that only authorized people can view ePHI in their systems. Audit controls track who accessed what and when, creating a trail that can be reviewed for unauthorized activity. Authentication procedures verify that anyone requesting access is actually who they claim to be. And transmission security measures protect data as it moves across networks, preventing interception during transfers between providers or to insurance companies.
These aren’t suggestions. They’re legal requirements for every organization that handles electronic health data.
Penalties for Mishandling PHI
HIPAA violations carry a four-tier penalty structure based on the level of negligence involved. An unknowing violation, where the organization wasn’t aware of the breach, can result in fines of $100 to $50,000 per violation, with an annual cap of $25,000 for repeat offenses. Violations due to reasonable cause (the organization should have known) carry fines of $1,000 to $50,000 per violation, capped at $100,000 annually.
The penalties escalate sharply for willful neglect. If the problem is corrected within the required timeframe, fines range from $10,000 to $50,000 per violation, up to $250,000 per year. If it’s not corrected, the minimum is $50,000 per violation with an annual maximum of $1.5 million. Criminal penalties, including jail time, can also apply in cases of intentional misuse.
De-Identification: When Health Data Loses Its Protection
Health information that has been stripped of all identifying details is no longer considered PHI and can be used freely for research, public health analysis, and other purposes. HIPAA recognizes two paths to de-identification. The Safe Harbor method requires removing all 18 identifiers listed above, plus confirming that the remaining information couldn’t reasonably be used to identify anyone. The Expert Determination method allows a qualified statistician to analyze the data and certify that the risk of re-identification is very small. Both approaches must be documented, and the organization must be able to demonstrate compliance if audited.
This distinction matters for patients because it explains why your data can show up in medical research or public health reports without violating your privacy. The data used in those contexts has been scrubbed of anything that could trace back to you as an individual.