Protected health information (PHI) is any individually identifiable health information that is held or transmitted by a health plan, healthcare provider, or healthcare clearinghouse. Under the HIPAA Privacy Rule, information qualifies as PHI when it relates to someone’s health, healthcare, or payment for healthcare and contains details that could identify that person. The definition covers information in any form: electronic records, paper charts, and even spoken conversations.
The Three Conditions That Make Data PHI
Not all health data is PHI. Three conditions must overlap before information falls under HIPAA protection.
First, the information must relate to an individual’s past, present, or future physical or mental health condition, the provision of healthcare to that individual, or payment for that healthcare. A blood pressure reading, a therapy session note, and an insurance claim all meet this criterion.
Second, the information must identify the individual or provide a reasonable basis to identify them. A diagnosis alone, with no name or other identifying detail attached, does not qualify. But pair that diagnosis with a birth date, a zip code, or an email address, and it crosses the line.
Third, the information must be created, received, maintained, or transmitted by a covered entity or its business associate. This is the piece many people miss. Your fitness tracker data sitting on your phone is not PHI because the app company typically is not a HIPAA-covered entity. The same blood pressure reading in your doctor’s electronic health record is PHI.
Who Counts as a Covered Entity
HIPAA defines three types of covered entities: healthcare providers (doctors, hospitals, pharmacies, labs that transmit health information electronically), health plans (insurance companies, HMOs, employer-sponsored health plans, Medicare, Medicaid), and healthcare clearinghouses (organizations that process nonstandard health information into standard formats). If an organization does not fit one of these categories, HIPAA does not apply to it directly.
Business associates add a second layer. When a covered entity hires an outside company to handle tasks involving PHI, like a cloud storage provider hosting medical records or a billing company processing claims, that company becomes a business associate. It must sign a written agreement and comply with HIPAA’s privacy and security requirements. Business associates are directly liable for violations, not just contractually bound.
The 18 Identifiers That Make Health Data Identifiable
HIPAA specifies 18 types of identifying information. When any of these appear alongside health or payment data held by a covered entity, the combination is PHI:
- Names
- Geographic data smaller than a state (street address, city, county, zip code)
- Dates related to an individual (birth date, admission date, discharge date, date of death), except year alone, plus all ages over 89
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and license plate numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographs and comparable images
- Any other unique identifying number, characteristic, or code
This list is intentionally broad. Demographic details like addresses and birth dates count as identifiers even though they have nothing to do with health on their own. The point is that linking them to health data creates a package that could expose someone’s private medical situation.
PHI vs. PII
Personally identifiable information (PII) is a broader category used across many federal agencies and privacy laws. It includes any data that can identify a person: name, Social Security number, driver’s license number, financial account details. PHI is a subset. It only applies when identifiable information intersects with health, healthcare, or payment data and is handled by a HIPAA-covered entity or business associate. Your name on a retail loyalty card is PII. Your name on a lab report at your doctor’s office is PHI. The distinction matters because PHI triggers a specific set of federal protections, including strict limits on who can access, use, and share it.
How Data Stops Being PHI
Health information can be stripped of its protected status through de-identification. HIPAA recognizes two methods.
The Safe Harbor method requires removing all 18 identifiers listed above, plus confirming that the remaining information could not be used alone or in combination to identify someone. For dates, only the year can remain. For geographic data, only the first three digits of a zip code can stay, and only if that three-digit zip area contains more than 20,000 people. Ages over 89 must be grouped into a single “90 or older” category.
The Expert Determination method allows a qualified statistical expert to analyze the data and certify that the risk of identifying any individual is very small. The expert must document the methods and results that support that conclusion. This approach is more flexible but requires specialized knowledge.
Once data is properly de-identified by either method, it is no longer PHI and can be used and shared without HIPAA restrictions.
PHI in the Digital Age
The question of what counts as PHI online has grown more complicated. HHS issued guidance stating that individually identifiable health information collected through a covered entity’s website or mobile app generally qualifies as PHI, even if the person has no existing patient relationship with that entity and even if the data does not include specific treatment or billing details. Under this interpretation, an IP address linked to a visit to a hospital’s webpage about a specific health condition could be PHI.
However, a federal court partially pushed back, ruling that simply connecting an IP address to a visit to an unauthenticated public webpage about health conditions is not enough to trigger HIPAA obligations. HHS is evaluating its next steps. For now, the boundary between general web browsing data and PHI remains in flux, particularly when online tracking technologies are involved.
Reproductive Health Protections Added in 2024
A 2024 amendment to the HIPAA Privacy Rule created new protections specifically for reproductive health information. The rule prohibits covered entities and business associates from using or disclosing PHI to investigate or impose liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive healthcare. This means a health plan or provider cannot hand over medical records to support a criminal, civil, or administrative action against someone simply because they received lawful reproductive care.
The amendment also narrowed the definition of “public health” activities so that investigations targeting individuals for seeking or providing healthcare cannot be disguised as population-level public health work. These changes reflect the evolving legal landscape around reproductive rights, adding a layer of protection that did not previously exist in HIPAA.