Back to articles
- 4min read - Updated Privacy Rule

What Counts as Protected Health Information (PHI)?

H
Filing cabinet containing patient health records with confidential information
PHI includes any individually identifiable health information in any form — paper, oral, or electronic

A patient walks into a clinic. Over the course of a single visit, their name is typed into an electronic health record, their date of birth is verified at the front desk, their insurance member number is recorded, and a photograph is taken for their file. Each of those data points — on its own — constitutes Protected Health Information under HIPAA.

Understanding what qualifies as PHI is not an academic exercise. It is the foundation upon which every HIPAA compliance programme is built. If your organisation cannot identify PHI, it cannot protect it.

What Is PHI?

Protected Health Information is any individually identifiable health information that is held or transmitted by a covered entity or its business associate. The key word is individually identifiable — information that can be used to identify a specific person.

PHI exists in every format: paper records, electronic health records, verbal communications, photographs, and even billing records.

The 18 HIPAA Identifiers

The HIPAA Safe Harbor method for de-identification requires the removal of eighteen specific identifiers. These represent the full scope of what the law considers identifiable:

Digital fingerprint biometric scanner representing one of the 18 HIPAA identifiers
HIPAA defines 18 specific identifiers that must be removed for data to be considered de-identified

Personal Identifiers

  1. Names — Full or partial names of individuals, including patients, relatives, and employers
  2. Dates — Birth dates, admission dates, discharge dates, date of death, and all ages over 89
  3. Telephone numbers — Any direct contact numbers
  4. Fax numbers — Facsimile contact details
  5. Email addresses — Personal and work email

Government and Record Numbers

  1. Social Security numbers — The most sensitive identifier and a common target for identity theft
  2. Medical record numbers — Internal tracking numbers assigned by healthcare providers
  3. Health plan beneficiary numbers — Insurance member IDs and enrolment numbers
  4. Account numbers — Bank account or financial account details held by covered entities
  5. Certificate or licence numbers — Professional certifications, driver's licence numbers

Technical and Biometric Identifiers

  1. Vehicle identifiers — Licence plate numbers, vehicle identification numbers, serial numbers
  2. Device identifiers — Serial numbers of medical devices or other equipment
  3. Web URLs — Personal websites or web addresses associated with the individual
  4. IP addresses — Internet protocol addresses captured during digital interactions
  5. Biometric identifiers — Fingerprints, voiceprints, retinal scans, and other biological markers
  6. Full-face photographs — Any photographic image sufficient to identify an individual

Catch-All

  1. Geographic data — Street addresses, city, precinct, ZIP code, and their equivalent geocodes (state-level data is permitted)
  2. Any other unique identifying number, characteristic, or code — This broad category captures anything else that could identify an individual

Electronic PHI (ePHI)

When any of the above identifiers exist in electronic form — stored, transmitted, or processed digitally — they become electronic Protected Health Information (ePHI). The HIPAA Security Rule applies specifically to ePHI and requires technical safeguards that go beyond the Privacy Rule's general requirements.

ePHI includes:

  • Electronic health records (EHR)
  • Emails containing patient information
  • Text messages about patient care
  • Digital imaging files
  • Database records
  • Cloud-stored documents containing identifiers
  • Voicemail systems that store patient messages digitally

Common PHI You Might Overlook

Many organisations focus on the obvious — medical records and insurance forms — while overlooking less apparent PHI:

  • Sign-in sheets at reception desks that record patient names and appointment times
  • Appointment schedules visible to other patients
  • Prescription bottles left in accessible areas
  • Whiteboard notes in clinical areas with patient names and conditions
  • Fax confirmations that include patient names or record numbers
  • Clinical photographs taken for documentation purposes
  • Wearable device data linked to a specific patient

The De-identification Standard

HIPAA provides two methods for de-identifying data so it is no longer considered PHI:

Expert Determination

A qualified statistical or scientific expert determines that the risk of identifying an individual is very small, documenting the methods and results of the analysis.

Safe Harbor

The covered entity removes all eighteen identifiers and has no actual knowledge that the remaining information could identify an individual.

Data that has been properly de-identified is no longer subject to HIPAA restrictions.

Why This Matters

In 2024, the average cost of a healthcare data breach reached $9.77 million — the highest of any industry for the fourteenth consecutive year, according to IBM's annual report. The vast majority of these breaches involved the exposure of the very identifiers listed above.

Knowing what constitutes PHI is the first step to protecting it. Every employee who touches patient data — from front-desk staff to IT administrators — should be able to recognise PHI when they see it and understand their obligations for safeguarding it.

Further Reading

H

Article by

HIPAA Guidelines Editorial Team

The editorial team at HIPAA Guidelines researches and writes authoritative guides on HIPAA compliance, privacy regulations, and healthcare data protection.

Related Articles

W
May 4, 2026 · 2min read Privacy Rule

What Is the HIPAA Privacy Rule?

Learn the fundamentals of the HIPAA Privacy Rule and how it protects patient health information.

H
HIPAA Guidelines Editorial Team