Protected health information (PHI) is any health-related data that can identify a specific person and is held by a healthcare provider, health plan, or healthcare clearinghouse. For information to qualify as PHI under HIPAA, it must meet all three criteria: it relates to someone’s past, present, or future health, healthcare, or payment for healthcare; it identifies the individual or could reasonably be used to identify them; and it is created or held by an organization that HIPAA actually covers. Understanding what counts (and what doesn’t) matters if you work in healthcare, handle medical records, or simply want to know what protections apply to your own data.
The Three Conditions That Make Data PHI
Not all health data is PHI. HIPAA’s Privacy Rule sets out three conditions that must all be true at the same time. First, the information must relate to a person’s physical or mental health condition, the care they received, or payment for that care. A diagnosis, a lab result, a billing record for a surgery, and a prescription history all meet this condition.
Second, the information must identify the person or give someone a reasonable basis to figure out who the person is. A name attached to a blood test result is obvious, but even a combination of a birth date, zip code, and gender could be enough to single someone out.
Third, the information must be created, received, maintained, or transmitted by a “covered entity” or one of its business associates. This is the condition most people overlook. The same medical detail can be PHI in one context and not in another, depending entirely on who holds it.
Who HIPAA Actually Covers
HIPAA does not apply to every organization that touches health data. It applies to three categories of covered entities:
- Healthcare providers such as doctors, dentists, psychologists, chiropractors, nursing homes, pharmacies, and clinics, but only if they transmit health information electronically in connection with certain standard transactions like billing or insurance claims.
- Health plans including health insurance companies, HMOs, employer-sponsored health plans, and government programs like Medicare, Medicaid, and veterans’ health programs.
- Healthcare clearinghouses, which are organizations that process nonstandard health information into standardized electronic formats, often acting as intermediaries between providers and insurers.
Business associates also fall under HIPAA’s rules. These are companies or individuals that perform services on behalf of a covered entity and handle PHI in the process: a cloud storage vendor hosting medical records, a billing company processing claims, or an IT firm maintaining a hospital’s electronic health record system. A written business associate agreement must be in place before any of these partners can access PHI.
The 18 Identifiers That Make Health Data Identifiable
HIPAA’s Privacy Rule lists 18 specific data elements that, when attached to health information, make it individually identifiable. If all 18 are stripped out and the covered entity has no actual knowledge that the remaining data could identify someone, the information is considered “de-identified” and no longer subject to HIPAA restrictions. The full list:
- Names
- Geographic data smaller than a state (street address, city, county, zip code), though the first three digits of a zip code may be kept if that three-digit zone contains more than 20,000 people
- Dates directly related to the individual (birth date, admission date, discharge date, death date), except the year alone; all ages over 89 must be grouped into a single “90 or older” category
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and serial numbers, including license plates
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers such as fingerprints and voiceprints
- Full-face photographs or comparable images
- Any other unique identifying number, characteristic, or code
What PHI Looks Like in Practice
PHI shows up across a wide range of documents and systems. A patient intake form at a clinic collects names, dates of birth, addresses, phone numbers, email addresses, insurance ID numbers, employer information, and referring physician details. All of it is PHI once it’s in the hands of the provider.
Clinical records are the most obvious examples: diagnoses, treatment plans, lab results, imaging reports, therapy notes, and surgical records. But PHI also includes billing and payment records such as explanation-of-benefits statements, insurance claims, and account numbers tied to healthcare services. Even a scheduling system that links a patient’s name to an appointment date and a provider’s specialty contains PHI, because the specialty can imply the nature of the health condition.
PHI exists in every format. Paper charts in a filing cabinet, electronic records in a hospital database, a voicemail from a doctor’s office mentioning test results, and a fax containing lab work are all covered. HIPAA makes no distinction between media types.
Electronic PHI and Security Requirements
When PHI exists in electronic form, it’s called ePHI, and HIPAA’s Security Rule adds a separate layer of protection. Covered entities and their business associates must implement safeguards in three categories. Administrative safeguards include conducting risk assessments, designating a security official, training all staff who handle ePHI, establishing access authorization policies, and creating incident response procedures. Technical safeguards require access controls so only authorized users can reach ePHI, audit mechanisms that log who accessed what and when, authentication to verify users’ identities, and transmission security to prevent interception of data sent over networks. Physical safeguards (though less commonly discussed) cover things like facility access and workstation security.
Organizations must also periodically reassess whether their security measures still meet the rule’s requirements. This isn’t a one-time checkbox. The Security Rule is designed to be flexible, scaling to the size and complexity of the organization, but the core obligations apply to every entity that handles ePHI.
Health Data That HIPAA Does Not Cover
This is where things get confusing for most people. A huge amount of health-related data falls outside HIPAA entirely because it isn’t held by a covered entity or business associate.
The fitness tracker on your wrist, the meditation app on your phone, and the symptom checker you used last week all collect health data. But unless that app was developed to create, receive, maintain, or transmit ePHI on behalf of a covered entity, HIPAA doesn’t apply to it. If you direct your doctor’s office to send your medical records to a personal health app that you chose independently, once that app receives the data, HIPAA protections no longer follow it. The covered entity fulfilled its obligation by honoring your access request, but the app itself isn’t bound by HIPAA rules.
Employment records held by your employer are also excluded, even if they contain health-related information like a doctor’s note for sick leave or the results of a workplace fitness screening. Education records covered by FERPA (the federal student privacy law) are similarly outside HIPAA’s reach. And health information that has been properly de-identified, with all 18 identifiers removed, is no longer PHI and can be used or shared without HIPAA restrictions.
How De-identification Works
HIPAA provides two approved methods for stripping identifiers from health data. The Safe Harbor method requires removing all 18 identifiers listed above and confirming that the covered entity has no actual knowledge that the remaining information could identify someone. This is the more straightforward approach and the one most organizations use.
The Expert Determination method is more flexible but more complex. A qualified statistical expert analyzes the data and certifies that the risk of identifying any individual is “very small.” The expert must document the methods and reasoning behind that conclusion. This approach allows organizations to retain more data elements when doing so won’t realistically compromise anonymity, which is useful for research datasets where geographic or temporal detail adds value.
The 2024 Reproductive Health Care Update
A final rule published in April 2024 added new protections for reproductive health information. Under this update, covered entities are prohibited from using or disclosing PHI for the purpose of investigating or imposing liability on anyone for seeking, obtaining, providing, or facilitating reproductive health care that was lawful in the state where it was provided. This means a health plan or provider cannot hand over records to support a criminal, civil, or administrative action against a patient or provider when the care in question was legal at the time and place it occurred. The rule was designed to prevent PHI from being weaponized in the patchwork of state reproductive health laws that emerged after 2022.