PHI stands for protected health information, and it refers to any health-related data that can be linked to a specific person. Under HIPAA (the Health Insurance Portability and Accountability Act), PHI includes medical records, billing information, lab results, insurance details, and any other health data tied to an individual’s identity. It’s the core concept behind most health privacy rules in the United States.
What Counts as PHI
For health information to qualify as PHI, two things must be true: the data relates to someone’s health, healthcare services, or payment for care, and it contains something that could identify the person. A set of blood pressure readings on its own is not PHI. But add a name, date of birth, or medical record number to those readings, and the entire dataset becomes protected.
HIPAA defines 18 specific identifiers that turn ordinary health data into PHI. These include obvious ones like names, Social Security numbers, phone numbers, and email addresses. But the list also covers details people don’t always think of: ZIP codes (anything more specific than the first three digits), dates tied to a person (birth dates, admission dates, discharge dates), IP addresses, device serial numbers, biometric data like fingerprints, full-face photographs, and even vehicle license plate numbers. If any of these identifiers are attached to health information, it’s PHI.
The scope of what qualifies is broad. Medical records, X-rays, clinical notes, prescription histories, wellness program files, insurance enrollment data, and billing records all count. Essentially, if a healthcare provider or insurer uses information to make decisions about your care or payment, and that information can be traced back to you, it’s PHI.
Who Is Required to Protect PHI
HIPAA doesn’t apply to everyone who handles health data. It applies to three categories of organizations known as “covered entities”: healthcare providers who transmit information electronically (doctors, hospitals, clinics, pharmacies, dentists, psychologists, nursing homes), health plans (insurance companies, HMOs, employer-sponsored plans, Medicare, Medicaid, veterans’ health programs), and healthcare clearinghouses (organizations that process health data into standardized electronic formats).
Beyond these, any company or contractor that handles PHI on behalf of a covered entity, called a “business associate,” is also bound by HIPAA. This includes cloud storage providers, billing services, IT companies, and data analytics firms that touch patient data. They’re required to sign agreements committing to the same privacy and security standards.
Health Data That Isn’t PHI
Not all health-related information falls under HIPAA. Data from consumer fitness trackers, health apps you download on your phone, or wellness surveys you fill out for a non-medical company typically isn’t PHI because it doesn’t flow through a covered entity. Your step count on a smartwatch, for example, isn’t protected by HIPAA even though it’s health data tied to your identity.
Research data can also fall outside PHI. If a researcher collects health measurements (like genetic markers or diagnostic test results) and never enters them into a medical record or links them to the 18 identifiers, that information isn’t considered PHI under HIPAA, though other research ethics rules still apply. Aggregated, non-individual data used in studies is another common example of health information that HIPAA doesn’t cover.
PHI vs. ePHI
Electronic protected health information, or ePHI, is simply PHI that’s stored or transmitted digitally. This includes electronic medical records, emails containing patient information, data in cloud systems, and digital images. HIPAA’s Security Rule applies specifically to ePHI and requires three layers of protection.
Administrative safeguards include conducting risk assessments, training staff, assigning a security officer, and having contingency plans for data breaches. Physical safeguards cover controlling who can physically access servers, workstations, and portable devices that store ePHI. Technical safeguards require measures like access controls (so only authorized people can view records), audit logs that track who accessed what, encryption during data transmission, and identity verification systems.
Paper records and verbal communications containing PHI are covered by HIPAA’s Privacy Rule but not the Security Rule. In practice, most healthcare data today is electronic, so ePHI protections are central to how organizations handle patient information.
Your Rights Over Your Own PHI
HIPAA gives you a legal, enforceable right to access your own health information. You can request to see, receive copies of, or have your records sent to a person or organization of your choosing. This right covers a broad range of records: medical charts, billing and payment records, lab results, medical images, clinical notes, insurance information, and wellness program files. It applies regardless of whether the records are on paper, in electronic systems, or archived offsite, and regardless of how old they are.
When you submit an access request, the provider or insurer must respond within 30 calendar days. If they need more time (for archived records, for instance), they can extend by one additional 30-day period, but they must notify you in writing with the reason for the delay. Two narrow categories of information can be withheld: psychotherapy notes (the personal notes a therapist keeps separate from your medical record) and information compiled for use in legal proceedings.
How PHI Gets De-Identified
Once all 18 identifiers are stripped from a health dataset, the information is no longer considered PHI and is no longer subject to HIPAA. This process, called de-identification, is how researchers and public health agencies use medical data without compromising individual privacy. The “Safe Harbor” method requires removing every one of the 18 identifiers and ensuring the remaining data couldn’t reasonably be used to identify anyone. A second approach, called “Expert Determination,” involves a qualified statistician certifying that the risk of identifying any individual from the data is very small.
Some identifier rules have specific thresholds. Dates must be stripped down to just the year. Ages over 89 must be grouped into a single “90 or older” category. ZIP codes can only be kept at the three-digit level, and only if that three-digit zone contains more than 20,000 people.
Recent Changes to PHI Protections
HIPAA’s PHI protections have expanded to address reproductive health care. A final rule now prohibits covered entities and their business associates from using or disclosing PHI to support investigations or impose liability on someone for seeking, obtaining, providing, or facilitating lawful reproductive health care. When a covered entity receives a request for PHI that could relate to reproductive care, it must now obtain a signed attestation confirming the request isn’t for a prohibited purpose. This change was designed to prevent medical records from being used as evidence against patients or providers in states where reproductive health care laws differ.