Compliance & Regulations
What Is Protected Health Information?
Protected Health Information (PHI) is any health information that can identify an individual and is held or transmitted by a HIPAA-covered entity or its business associates.
Protected Health Information (PHI) is any health information that can identify an individual and is held or transmitted by a HIPAA-covered entity or its business associates. Specifically, PHI means individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. It includes health records and billing information in any form—electronic (ePHI), paper, or oral.
How Does Protected Health Information Work?
PHI operates as the fundamental unit of information regulated under HIPAA, with specific identifiers determining whether health information qualifies as protected.
The 18 PHI Identifiers
The HIPAA Privacy Rule identifies 18 specific direct and indirect identifiers that, if present in health information, make it PHI. These identifiers include patient names, geographic locations with full address including street address, city, county, and zip code, and all dates directly related to an individual except year including birth date, admission date, discharge date, date of death, and exact age if over 89 according to UC Berkeley Human Research Protection Program guidance and NIH Privacy Rule documentation from 2024.
Additional identifiers include telephone numbers, facsimile numbers, email addresses, Social Security Numbers, medical record numbers, health insurance beneficiary numbers, account numbers, and certificate or license numbers. The rule also covers vehicle identifiers and serial numbers, device identifiers and serial numbers, URLs, Internet Protocol addresses, biometric identifiers such as fingerprints, voiceprints, and retinal scans, full face photographic images and comparable images, and any other unique identifying number, characteristic, or code.
Examples of Protected Health Information
PHI encompasses a broad range of health-related information when combined with identifying elements. This includes patient prescriptions and medications, medical test results such as lab work, X-rays, and MRI scans, diagnoses and treatment plans, mental health records and therapy notes, billing and payment information, insurance claims, medical device identifiers and implant information, and emergency contact information according to HIPAA Journal documentation on protected health information updated for 2026.
Additional examples include LGBTQ status if it could identify the individual, information about emotional support animals, contact information for family members or support groups, genetic information and DNA profiles, and substance abuse and addiction treatment records.
ePHI Versus PHI
Electronic Protected Health Information (ePHI) represents a subset of PHI that is transmitted or maintained in electronic form. ePHI is subject to the HIPAA Security Rule, requiring specific technical safeguards including encryption, access control, and audit logging. ePHI includes data in electronic health records, databases, email, and cloud storage according to Compliancy Group guidance on understanding PHI from 2024.
PHI in paper or oral form is subject to the HIPAA Privacy Rule, which applies to all forms of protected health information. Paper PHI includes paper medical records and printed billing documents, while oral PHI encompasses verbal communications about patient health status or treatment. All ePHI is PHI, but not all PHI is ePHI.
When Information Becomes PHI
Information becomes PHI only when it is held by or transmitted to a HIPAA-covered entity or business associate. Covered entities include healthcare providers, health plans, and clearinghouses. Business associates are organizations performing regulated services for a covered entity under a written Business Associate Agreement according to Northwestern University IRB guidance on HIPAA, PHI, and PII from 2024.
Non-covered organizations may hold identical information without HIPAA restrictions. A patient's name and medical diagnosis held by a technology company that is not a business associate would not be regulated as PHI, even though the identical information held by a hospital would be protected.
How Does Protected Health Information Differ from Related Concepts?
PHI differs from related data protection concepts in scope, regulatory framework, and access requirements, as shown in the following comparison:
Aspect | PHI | ePHI | Identifiable Information | De-identified Information |
|---|---|---|---|---|
Coverage | All forms | Electronic only | Includes 18+ identifiers | No identifying elements |
Rule | Privacy Rule | Security Rule | Subject to HIPAA | Not subject to HIPAA |
Storage | Any medium | Electronic systems | Patient records | Research datasets |
Access Controls | Administrative | Technical & administrative | Restricted | Generally unrestricted |
Regulation | 45 CFR §164.500 | 45 CFR §164.300 | All HIPAA rules | De-identification standards |
Source: HIPAA Journal, Considered PHI HIPAA Updated 2026
PHI under the Privacy Rule applies to all forms of health information in any medium, while ePHI under the Security Rule applies only to electronic forms. Identifiable information contains one or more of the 18 enumerated identifiers and is subject to full HIPAA restrictions. De-identified information has had all identifying elements removed and is generally not subject to HIPAA restrictions, allowing broader use for research and analytics.
Why Does Protected Health Information Matter?
PHI protection has become increasingly critical as healthcare data breaches escalate and regulatory enforcement intensifies.
Healthcare Data Breach Trends
Healthcare organizations experience an average of 725 breaches annually according to HHS Office for Civil Rights breach notification data from 2024. The average cost of a healthcare data breach reached $10.93 million in 2024, representing the highest cost across all industry sectors. An estimated 500 billion or more healthcare records exist globally, with the majority being PHI covered by HIPAA according to HIPAA Journal analysis of new HIPAA regulations from 2025-2026.
Patient Sensitivity and Trust
Survey data indicates 87 percent of patients consider their health information highly sensitive according to industry surveys from 2024. Improper handling of PHI directly impacts patient trust in healthcare providers and can influence willingness to share critical health information necessary for effective treatment.
Regulatory Enforcement Activity
Twenty-two enforcement actions in 2024 targeted improper PHI handling, resulting in settlements and civil monetary penalties according to HIPAA Journal analysis from 2025. The HHS Office for Civil Rights has increased focus on PHI protection, particularly for electronic PHI where technical safeguards may be inadequate or improperly implemented.
Compliance Investment Trends
An increasing number of organizations are implementing advanced identity and access management systems for PHI protection, driven by both regulatory requirements and breach prevention economics. The cost of implementing comprehensive PHI protection programs often proves lower than potential breach costs and regulatory penalties.
What Are the Limitations of PHI Protection Standards?
PHI protection faces several challenges in addressing modern data use cases and evolving technology.
Ambiguity in Demographic Data
The Privacy Rule creates edge cases in de-identification by treating ages over 89 and year-only dates differently from other identifiers. Ages up to 89 can be retained in de-identified datasets, but ages over 89 must be aggregated into a single category. Similarly, year-only dates can be retained for individuals under age 90, but any more specific date elements must be removed. These distinctions create complexity in de-identification processes according to HHS Office for Civil Rights de-identification guidance from 2024.
Context Dependency
Information qualifies as PHI only when held by covered entities, creating situations where identical information may be regulated in one context but not another. A patient's diagnosis shared with their employer's wellness program may not be PHI if the employer is not a covered entity or business associate, even though the same diagnosis in the patient's medical record is clearly protected. This context dependency creates confusion about when HIPAA protections apply according to Northwestern University IRB guidance from 2024.
Combination Risk
Information not identifying in isolation can identify individuals when combined with other data elements. The Safe Harbor de-identification method removes all 18 enumerated identifiers but does not comprehensively address situations where remaining information combined with external datasets could re-identify individuals. This combination risk has increased as publicly available datasets and data linkage technologies have proliferated according to HHS Office for Civil Rights de-identification guidance from 2024.
Evolving Technology Challenges
Biometric and genetic identifiers require ongoing updates to PHI standards as technology advances. New forms of biometric authentication, wearable health device data, and genomic information may contain identifying characteristics not contemplated when the original 18 identifiers were established. The Privacy Rule must adapt to address these emerging data types.
Re-identification Risk
Even properly de-identified information can sometimes be re-identified through data linkage attacks that combine multiple datasets. Researchers have demonstrated successful re-identification of supposedly anonymous health data by linking it with voting records, consumer purchase data, or social media profiles. This risk challenges the effectiveness of de-identification as a privacy protection mechanism.
International Variation
HIPAA applies only in the United States, while other jurisdictions including the European Union under GDPR and Canada under PIPEDA have different PHI definitions and requirements. Organizations operating internationally must navigate multiple regulatory frameworks with potentially conflicting requirements for the same data.
How Does Protected Health Information Relate to Compliance Requirements?
PHI protection operates within a comprehensive regulatory framework with specific de-identification standards and enforcement mechanisms.
Regulatory Framework
The statutory basis for PHI protection derives from the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Title II, which addresses administrative simplification and privacy protections. The primary regulation implementing PHI protections appears in 45 CFR §164.500 et seq., known as the Privacy Rule. The Security Rule in 45 CFR §164.300 et seq. applies specifically to electronic PHI. De-identification standards are codified in 45 CFR §164.514, with enforcement authority vested in the HHS Office for Civil Rights.
De-identification Standards
Organizations may use PHI for purposes not restricted by HIPAA if the information is properly de-identified. Two methods are permitted under 45 CFR §164.514.
The Safe Harbor Method requires removal of all 18 enumerated identifiers and no actual knowledge that remaining information could identify the individual. Specific rules apply to zip codes, allowing retention of the first three digits only if the geographic unit has 20,000 or more population. Organizations cannot retain any dates except year, and then only if individual age is under 90 according to HHS Office for Civil Rights guidance on de-identification methods from 2024.
The Expert Determination Method requires a statistical expert to certify that the risk of re-identification is very small. This method provides more flexibility than Safe Harbor but requires documented methodology and certification. Organizations using expert determination must maintain documentation of the expert's qualifications, methodology, and certification.
Re-identification Procedures
Covered entities may assign codes to de-identified information to allow re-identification only if the code is not derived from or related to information about the subject, the code cannot be translated to identify the individual, the code cannot be used or disclosed for any other purpose, and the mechanism for re-identification is protected as PHI according to 45 CFR §164.514 standards.
Applicability Criteria
PHI is regulated only when information is held by or transmitted to a HIPAA-covered entity or business associate, the covered entity is a healthcare provider, health plan, or clearinghouse, and any business associate is performing regulated services for a covered entity under a written Business Associate Agreement. Non-covered organizations may hold identical information without HIPAA restrictions, creating potential gaps in protection when data moves outside the regulated healthcare ecosystem.
FAQs
Is my patient's name alone considered PHI?
Not necessarily. A name alone is PHI only if the person is a patient of a HIPAA-covered entity and the name is part of health records or billing information held by that entity. In other contexts such as general contact lists or non-healthcare databases, the name may not be regulated as PHI even if the person has received healthcare services. The key determinant is whether the information is held by a covered entity or business associate in connection with healthcare operations.
Can we use de-identified data without HIPAA restrictions?
Yes. Once information is properly de-identified using either the Safe Harbor method or Expert Determination method under 45 CFR §164.514, it is no longer PHI and can generally be used for any purpose without HIPAA restrictions. Organizations must maintain documentation of the de-identification process and cannot retain mechanisms for re-identification unless those mechanisms are themselves protected as PHI.
What is the difference between PHI and ePHI?
PHI is any health information identifying an individual held by a covered entity, in any form including paper, oral, and electronic. ePHI is specifically electronic PHI and is subject to the HIPAA Security Rule's technical safeguards including encryption, access controls, and audit logging. All ePHI is PHI, but not all PHI is ePHI. Paper medical records and verbal communications about patient health status are PHI but not ePHI.
Are family member contact numbers in a patient record considered PHI?
Yes. Contact information for family members or support groups associated with a patient's health information is considered PHI if the information could be used to identify the patient or relates to their health care. This includes emergency contact information, caregiving contacts, and any family member information maintained in connection with the patient's treatment or billing records.
Does HIPAA apply to my organization if we are not a healthcare provider?
HIPAA applies if you are a covered entity including healthcare providers, health plans, or clearinghouses, or if you are a business associate handling PHI for a covered entity under a written Business Associate Agreement. Organizations that are neither covered entities nor business associates are not subject to HIPAA even if they handle health information. However, other privacy laws may apply depending on the type of information and the organization's location.
