What is Defined as Protected Health Information Under HIPAA?

by | Mar 4, 2021

In any healthcare or healthcare insurance organization it is crucial anyone who comes into contact with patient data is fully aware of what is defined as Protected Health Information (PHI) under HIPAA to ensure they do not accidentally violate HIPAA Rules.

What is Defined as Protected Health Information (PHI) Under HIPAA?

Anyone who is employed in the healthcare sector or is currently studying a healthcare-related course that involves some level of access to patient healthcare or billing data must be fully aware of what is classified as PHI.

The HIPAA Privacy Rule places restrictions on the permitted uses and disclosures of PHI and the HIPAA Security Rule requires security measures to be in place at all times to ensure the confidentiality, integrity, and availability of PHI.

Should a breach occur, it is not a valid excuse to state you were unaware of the requirements under HIPAA to ensure the privacy and security of PHI. If any provision of HIPAA is violated, it can result in significant penalties for the HIPAA entities involved. In some cases, criminal convictions may be sought in relation to HIPAA violations. This is why it is of the utmost importance HIPAA training provided to employees gives them a clear understanding of what is defined as PHI.

How is PHI Defined under HIPAA?

HIPAA states that all individually identifiable information relating to the past, present, and future health status of an individual that is created, gathered, shared, transmitted, or maintained by a HIPAA-covered entity in relation to the administration of healthcare, payment for healthcare, or use in healthcare operations (PHI healthcare business uses) is considered Protected Health Information (PHI).

Some data elements classed as PHI include:

  • Medical diagnoses
  • Details of treatments
  • Prescriptions
  • Test results
  • Date of Birth
  • National identification numbers
  • Ethnicity
  • Gender
  • Contact details

If any of these data elements are held in a physical state, they are referred to as PHI. Any PHI that is created, stored, shared, or received electronically is referred to as ePHI.

PHI includes patient and health plan member information, but does not include data in educational and employment records. Nor is health information collected by a covered entity in its role as an employer classed as PHI.

Personal and healthcare data is only classed as PHI when it is possible for an individual to be identified from that information. That means the information contains one or more of 18 identifiers.

If all these identifiers are removed in a HIPAA-compliant process, the information is deidentified and is no longer classed as PHI and uses and disclosures are no longer restricted by the HIPAA Privacy Rule.

What are the Identifiers that make personal and health information PHI?

HIPAA states there are 18 identifiers that turn personal health and billing information into PHI and bring the information under the protection of the HIPAA Rules. The 18 identifiers are:

  1. Every geographical identifier at a level lower than state, except for the first three digits of a zip code if, according to the existing publicly available information from the U.S. Bureau of the Census, the geographic unit created by combining all zip codes with the same three first digits include more than 20,000 people.
  2. Dates, not including year, directly linked to a person.
  3. Complete names or last names and initial
  4. Contact phone numbers
  5. Fax machine numbers
  6. Email contact details
  7. Social Security data
  8. Numbers of medical records
  9. Health insurance beneficiary info
  10. Account number details
  11. Certificate/license numbers
  12. Vehicle identifiers such as license plates and serial numbers
  13. Device identifiers and serial numbers
  14. URLs
  15. IP addresses
  16. Fingerprints, retinal scans, voice prints and all other biometric identifiers
  17. Full face photographic images or other images that allow a person to be identified
  18. All other unique identifying numbers, characteristics, or codes, except the unique code assigned by the investigator to code the data

How Can PHI be Secured?

According to the HIPAA Security Rule, HIPAA covered entities must implement safeguards and take actions to prevent reasonably anticipated threats to the confidentiality, integrity, and availability of PHI.

The HIPAA Security Rule requires physical, technical, and administrative safeguards to be implemented to keep PHI secure. However, the HIPAA Security Rule is not technology specific. Instead the precise security measures that must be put in place to keep PHI secure are left to the discretion of each HIPAA covered entity based on a risk assessment and risk analysis.

In addition to robust access controls, firewalls, encryption software, and logging and monitoring of access to PHI, it is important not to neglect training. HIPAA and security awareness training are essential for ensuring employees are aware of what PHI is, how it must be protected, and when it is possible to access, use, and disclose PHI.

PHI: Frequently Asked Questions

How is an allowable disclosure of PHI different to an incidental disclosure?

When it comes to treatment, payment, and health care operations, covered entities are permitted to share PHI. An incidental disclosure is a secondary, accidental disclosure that cannot reasonably be stopped, is restricted in nature, and happened due to another disclosure allowed under the Privacy Rule.

Can email addresses that do not include a person’s name be considered as identifiers for PHI purposes?

With a little bit of work it can be possible to discover who owns an email address that does not include an actual name. This can be done using social media or through the use of a reverse email lookup tool on the Internet. While either option may not provide you with the individual’s name, you will still be able to discover enough information in relation to the individual for that information to be classified as PHI.

Can you gauge what is a reasonably anticipated threat to PHI ?

All covered entities and business associates must carry out regular risk analyses in order to discover threats to PHI. By completing this covered entities will be in a position to ascertain potential threats. This will also allow for these reasonably anticipated threats to be planned for.

How are PII, PHI, and IIHA different?

Simply put, Personally Identifiable Information (PII) refers to identifying data used outside a healthcare context, while PHI (Protected Health Information) and IIHA (Individually Identifiable Health Information) is the same information used in the healthcare sector.


Covered Entities are legally obliged, under HIPAA, to ensure that PHI is always handled in a compliant manner. If you are worried that individuals within your organization are unsure about the allowable uses and disclosures of PHI and how that information must be protected, then the best course of action is to arrange a refresher HIPAA training session as soon as possible.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy