What is considered PHI under HIPAA? A practical guide to protected health information
What is PHI under HIPAA?
Protected health information (PHI) is at the center of HIPAA. If you cannot reliably identify what counts as PHI in your systems, you cannot implement appropriate safeguards, honor patient rights, or respond correctly to breaches.
Under HIPAA, PHI is individually identifiable health information held or transmitted by a covered entity or business associate. That includes information about an individual's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare—when it can be linked to a specific person.
This guide covers:
- The HIPAA definition of PHI and how identifiers work
- Differences between PHI, PII, and electronic PHI (ePHI)
- Practical examples across clinical, billing, and healthtech workflows
- When data falls outside PHI scope (and what that means operationally)
Related guides:
- What is HIPAA compliance? A complete guide
- Preparing for HIPAA compliance: An 8-step HIPAA compliance checklist
- HIPAA regulations and rules explained
- HIPAA collection hub
GIF via GIPHY
Key takeaways
- PHI requires both health context and identifiability. A diagnosis alone may not be PHI if it cannot be linked to an individual.
- HIPAA lists 18 identifiers that, when combined with health information, typically make data PHI.
- ePHI is PHI in electronic form and triggers Security Rule safeguards beyond Privacy Rule requirements.
- De-identification is a defined process, not an informal decision to "remove names."
- Start with a PHI inventory mapping systems, integrations, and support channels where identifiers appear.
The 18 HIPAA identifiers explained
HIPAA defines identifiers that, when present with health information, generally make data individually identifiable PHI:
| # | Identifier | Common locations |
|---|---|---|
| 1 | Names | EHR, scheduling, billing |
| 2 | Geographic data smaller than state | Addresses, some ZIP codes |
| 3 | Dates (except year) related to individual | DOB, admission/discharge dates |
| 4 | Telephone numbers | CRM, call logs, SMS reminders |
| 5 | Fax numbers | Legacy fax workflows |
| 6 | Email addresses | Patient portals, marketing lists |
| 7 | Social Security numbers | Billing, eligibility |
| 8 | Medical record numbers | EHR, lab systems |
| 9 | Health plan beneficiary numbers | Payer integrations |
| 10 | Account numbers | Billing systems |
| 11 | Certificate/license numbers | Provider credentialing |
| 12 | Vehicle identifiers | Rare in clinical data; possible in accident cases |
| 13 | Device identifiers/serial numbers | Implant registries, connected devices |
| 14 | Web URLs | Patient-specific portal links |
| 15 | IP addresses | Web analytics tied to individuals |
| 16 | Biometric identifiers | Fingerprints, retinal scans |
| 17 | Full-face photos | Clinical imaging, ID verification |
| 18 | Any other unique identifying number, characteristic, or code | Custom IDs, study codes with keys |
If health information includes any of these identifiers (or could reasonably be re-identified), treat it as PHI unless a valid de-identification or limited data set framework applies.
PHI vs. PII vs. ePHI
These terms overlap but are not interchangeable:
- PII (personally identifiable information): a broad concept used across privacy laws and security frameworks. Not all PII is PHI.
- PHI: health information plus identifiers, in the context of HIPAA-covered entities and business associates.
- ePHI: PHI that is created, stored, or transmitted electronically. The Security Rule focuses on ePHI safeguards.
| Data example | PII? | PHI? | ePHI? |
|---|---|---|---|
| Patient name in EHR | Yes | Yes | Yes (if electronic) |
| Employee SSN in HR system (no health context) | Yes | No | No |
| Aggregated clinic visit counts by month | No | No | No |
| Lab result linked to MRN | Yes | Yes | Yes |
| De-identified dataset per HIPAA Safe Harbor | No | No | No |
When scoping HIPAA programs, map ePHI flows specifically—encryption, access control, audit logging, and backup requirements attach to electronic PHI.
Common PHI examples in healthcare workflows
PHI appears in more places than clinical charts. Teams often underestimate exposure in:
Clinical and care delivery
- Progress notes, diagnoses, medications, allergies
- Imaging reports and pathology results
- Telehealth session metadata tied to patients
- Care plans and referral letters
Administrative and billing
- Claims data with patient identifiers
- Eligibility and prior authorization records
- Payment receipts showing services rendered
- Collections correspondence referencing treatment
Healthtech and SaaS platforms
- Patient engagement apps with account profiles
- Remote monitoring feeds linked to individuals
- Support tickets containing patient details
- Analytics pipelines that join clinical events to user IDs
Communications
- Appointment reminder texts with patient names
- Misdirected emails with attachments
- Voicemail transcripts stored in cloud systems
- Slack or Teams messages referencing cases (a frequent violation source)
Each example requires Privacy Rule guardrails and, when electronic, Security Rule safeguards.
When health information is not PHI
Not all health-related data in your company is PHI. Common situations where HIPAA may not apply include:
- Employment records held by a covered entity in its capacity as employer (with nuances—consult counsel when health data mixes with HR)
- Health information without identifiers that meets HIPAA de-identification standards
- Data handled by organizations outside HIPAA scope that are neither covered entities nor business associates (though other laws may apply)
Caution: "We removed the name" is not sufficient de-identification unless you follow HIPAA's Safe Harbor or Expert Determination methods. Partial redaction often leaves re-identification risk.
De-identification and limited data sets
HIPAA provides two formal paths to reduce identifiability:
Safe Harbor method
Remove all 18 identifiers and have no actual knowledge that remaining information could identify an individual.
Expert Determination method
A qualified expert applies statistical and scientific principles to determine re-identification risk is very small.
Limited data sets
A limited data set excludes certain direct identifiers but may include dates, city, state, and ZIP code (with a data use agreement). This supports research and public health use cases under specific conditions.
Document which method you use, who approved it, and how downstream recipients are contractually bound.
How to classify PHI in your organization
Use this practical workflow to build a reliable PHI inventory:
- List systems that create, receive, maintain, or transmit health information
- Interview owners about integrations, exports, backups, and support access
- Tag data elements using the 18 identifiers as a checklist
- Mark ePHI flows requiring Security Rule controls
- Record permitted uses (treatment, payment, operations) vs. those requiring authorization
- Review quarterly when new products, vendors, or AI features launch
Pair the inventory with a data flow diagram showing where PHI enters, moves, and exits your environment. Risk analysis becomes far more accurate once this map exists.
Make PHI classification easier with SecureSlate
PHI scope expands silently as teams add integrations, analytics, and AI features. SecureSlate helps you maintain clarity as systems change.
SecureSlate helps teams:
- Document PHI and ePHI inventories with owners and review cadences
- Link controls and evidence to specific systems and data flows
- Track vendor BAAs and subprocessors that touch identifiable health data
- Run recurring access reviews and policy workflows tied to HIPAA requirements
Get started for free to keep PHI classification current—not stale.
FAQ
Is an email address alone considered PHI?
An email address can be an identifier. If it is linked to health information (for example, a diagnosis in the same record), it is PHI. Context matters.
Are IP addresses PHI?
They can be. If IP addresses in web logs are tied to individual patients accessing a portal, they may qualify as identifiers under HIPAA.
Does PHI include mental health and substance use records?
Yes, when individually identifiable. Some categories have additional state or federal protections beyond baseline HIPAA rules.
What is the difference between anonymized and de-identified data under HIPAA?
HIPAA uses "de-identified" with specific legal methods. Informal anonymization without those methods may still be PHI if re-identification is reasonably possible.
Do business associates need to classify PHI the same way as covered entities?
Yes. Business associates must protect PHI they create, receive, maintain, or transmit on behalf of covered entities, which requires understanding what qualifies as PHI in their environment.
Disclaimer (legal note)
SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to HIPAA and related regulations, you should consult a licensed attorney.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
Jun 1, 2026 · HIPAA
6 key benefits of automated HIPAA compliance (efficiency, evidence, and audit readiness)
SecureSlate Team
Jun 1, 2026 · HIPAA
7 benefits of HIPAA compliance for your organization (trust, risk, and revenue)
SecureSlate Team
Jun 1, 2026 · HIPAA
Best practices for ongoing HIPAA compliance (monitoring, training, and continuous improvement)
SecureSlate Team
