What Is PHI Under HIPAA (and What Isn’t)?

Protected Health Information (PHI) is the foundation of HIPAA compliance. Yet many organizations—especially those handling data across clinical, operational, and digital environments—struggle to determine exactly what counts as PHI and what does not. Misclassifying data can lead to gaps in safeguards, improper access, and potential HIPAA violations.

This guide breaks down what is PHI for HIPAA, what is not considered PHI under HIPAA, and how covered entities and business associates should protect electronic PHI (ePHI).

What Is PHI for HIPAA?

Under HIPAA, PHI is any individually identifiable health information created, received, stored, or transmitted by a covered entity or business associate. PHI can exist in any format—paper, verbal, or digital (ePHI).

To be PHI, the information must include both:

• A health-related component (past, present, or future):
  • Diagnosis
  • Treatment information
  • Lab results
  • Medical billing or claims
  • Prescription data
  • Health insurance information
  • Appointment dates
  • Medical device identifiers linked to a patient
• A personal identifier that ties the health information to an individual.

HIPAA’s 18 Identifiers

HIPAA defines 18 identifiers that make health information individually identifiable, including:

• Name
• Address (street address or anything smaller than a state)
• All elements of dates related to an individual (including birth, admission, discharge, death); if the individual is 89 or younger, this excludes the year. However, if the individual is over the age of 89, year is included
• Phone numbers
• Fax numbers
• Email addresses
• Social Security number
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Website URLs
• IP addresses
• Biometric identifiers (fingerprints, voiceprints)
• Full-face photos or similar images
• Any other unique identifying number, characteristic, or code

If health information is linked with any of these identifiers, it becomes PHI.

What Is Not Considered PHI Under HIPAA?

Understanding what doesn’t qualify as PHI is just as important for compliant data handling. The following types of information are not considered PHI under HIPAA:

• De-Identified Data: Information that has been stripped of all 18 identifiers and cannot reasonably be linked back to an individual is not PHI. De-identified data is often used for research, analytics, and population-health modeling.
• Aggregated and Anonymized Health Data: Metrics like “30% of patients improved after treatment” or “Clinic A processed 10,000 lab samples last month” are not PHI because they do not identify individuals.
• Employment Records Held by an Employer: Even if they contain health information (e.g., doctor’s notes for leave), employment files are not PHI because they are not maintained by a covered entity in its clinical role.
• Education Records Covered Under FERPA: Student immunization records or health information maintained by a school nurse fall under FERPA, not HIPAA.
• Health Information People Share Publicly: If a patient posts about their condition on social media, that information is not PHI until it is handled by a covered entity.
• Consumer Health Apps That Aren’t Covered Entities: Data from fitness trackers, period-tracking apps, or wellness apps is not PHI unless shared with a covered entity for treatment or payment purposes.
• Health Information Collected by Non-Healthcare Entities: Information from things like gym membership applications, life insurance underwriting files, or data collected at employer health screenings (when not part of a group health plan) do not qualify as PHI because they are not handled by a HIPAA-covered entity.

What Is Electronic PHI (ePHI)?

Electronic PHI (ePHI) is PHI that is created, stored, transmitted, or maintained in digital form. Examples include:

• Electronic medical record (EMR)/electronic health record (EHR) data
• Emails containing patient information
• Text messages or chat logs between providers
• Digital X-rays or imaging files
• Cloud-stored patient data
• Patient scheduling applications
• Connected medical device data

ePHI introduces heightened risk due to cyber threats, mobile access, and distributed care environments. HIPAA’s Security Rule outlines administrative, technical, and physical safeguards to protect ePHI.

• Administrative Safeguards:
  • Risk analysis and risk management
  • Workforce training
  • Access management policies
  • Vendor oversight and BAAs
• Technical Safeguards:
  • Encryption of data at rest and in transit
  • Multi-factor authentication
  • Access controls and least-privilege permissions
  • Audit logs and monitoring
  • Secure configuration of systems and applications
• Physical Safeguards
  • Facility security controls
  • Secure workstations and devices
  • Hardware inventory tracking
  • Policies for disposal and media reuse

A comprehensive HIPAA compliance program must include controls across all three categories to effectively protect ePHI.

How IS Partners Helps Organizations Manage PHI and ePHI Risk

Understanding what is—and isn’t—PHI is essential to HIPAA compliance. With clear definitions, proper data classification, and the right safeguards, organizations can reduce regulatory risk and protect patient trust.

IS Partners helps covered entities and business associates build mature HIPAA compliance and cybersecurity programs through:

• HIPAA gap assessments and risk analyses
• HIPAA Security Rule assessments
• Policies and procedures development
• ePHI configuration reviews
• Business associate compliance validation
• Technical safeguard readiness for audits
• Ongoing compliance monitoring

Our team streamlines HIPAA audits and supports every step of the compliance lifecycle. If you’d like help assessing PHI exposure or strengthening HIPAA compliance, IS Partners can guide your team through a structured, audit-ready approach.