Summary: PHI is individually identifiable health information held or transmitted by a HIPAA covered entity or business associate. When health data is linked to identifiers like names, addresses smaller than a state, dates, account numbers, IPs, or images, it’s PHI. Data can be de-identified via Safe Harbor or Expert Determination.

Safeguarding PHI isn’t just compliance; it’s how healthcare earns trust. This guide provides a precise definition, HIPAA’s 18 identifiers, quick “is it PHI?” answers, examples, de-identification rules, safeguards, and an expanded reference section for builders and compliance teams.

Introduction

Protected Health Information (PHI) sits at the center of HIPAA’s Privacy and Security Rules. It enables care coordination, claims, and analytics, yet it also carries risk if mishandled. Use this page as your practical reference: what counts as PHI, how to de-identify, and the controls that keep PHI safe.

What is PHI?

Definition: Protected Health Information (PHI) is individually identifiable health information that relates to a person’s past, present, or future health, care, or payment for care, when created, received, maintained, or transmitted by a HIPAA covered entity or its business associate. HHS overview • 45 CFR 160.103

Scope: HIPAA applies to covered entities (certain providers, health plans, clearinghouses) and their business associates. If an organization is neither, HIPAA does not apply, though state consumer health privacy laws may. HHS covered entities & BAs (If HIPAA doesn’t apply, state consumer health privacy laws may govern certain data flows, e.g., WA and CA.)

HIPAA’s 18 identifiers (Safe Harbor)

When these identifiers are linked to health information, the data is PHI. Removing all 18 can qualify data as de-identified under Safe Harbor. HHS de-identification • 45 CFR 164.514(b)(2) (Safe Harbor) • 164.514(b)(1) (Expert Determination).

1. Names
2. Geographic subdivisions smaller than a state (street, city, county, precinct, ZIP). Rule: Only the first three ZIP digits may remain if the 3-digit area has >20,000 people; otherwise use 000.
3. All elements of dates (except year) related to an individual; ages over 89 must be aggregated to “90 or older.”
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plates
13. Device identifiers and serial numbers
14. Web URLs
15. IP addresses
16. Biometric identifiers (e.g., fingerprints, voiceprints)
17. Full-face photos and comparable images
18. Any other unique identifying number, characteristic, or code (except a permitted re-ID code)

Is it PHI? Quick answers

PHI examples

Healthcare operations

• Treatment plan with name, date of birth, diagnosis, and medications
• MRI file with embedded medical record number metadata
• Discharge summary with dates of service and provider details

Insurance and billing

• Explanation of Benefits showing procedures, patient name, and plan ID
• Claim records including account numbers tied to services

Technology contexts

• Patient portal logs with usernames and IP addresses associated with appointments
• Telehealth recordings or transcripts linked to a patient profile

See Tadabase Healthcare solutions and our HIPAA workflow case study.

PHI vs ePHI vs PII vs EHR

HIPAA applies to covered entities and business associates. Others are outside HIPAA, though state consumer health privacy laws may apply. HHS

De-identification: two lawful methods

1. Safe Harbor: Remove all 18 identifiers and have no actual knowledge that remaining information could identify the individual. Apply the ZIP and 90+ age rules. HHS • 45 CFR 164.514(b)(2)
2. Expert Determination: A qualified expert applies accepted statistical/scientific methods and documents that re-identification risk is very small. HHS • 45 CFR 164.514(b)(1)

De-identification examples (Safe Harbor)

What’s not PHI under HIPAA (common edge cases)

• Employment records held by a covered entity in its role as employer (e.g., HR files)
• Education records covered by FERPA (student health records at schools)
• Consumer health apps that are not covered entities or BAs (state privacy laws may still apply)
• Life/Disability/Workers’ comp records outside covered-entity workflows

When in doubt: Is a CE or BA creating/receiving the data, and is it linked to health, care, or payment?

How to safeguard PHI

1. Risk analysis and management: Identify threats to the confidentiality, integrity, and availability of ePHI; update at least annually or on major change. 45 CFR 164.308(a)(1)(ii)(A)
2. Access controls: Role-based access, least privilege, routine reviews; log and audit
3. Encryption & transmission security: Encrypt ePHI at rest and in transit
4. Authentication & 2FA: Strong authentication on all PHI systems
5. Workforce training: Train on privacy, phishing, incident reporting
6. Vendor management: Business Associate Agreements and control verification. HHS BA guidance
7. Incident response: Prepare notification workflows; test yearly. (HIPAA breach notification: 45 CFR 164.400–414.)
8. Web & mobile tracking tech: Map pixels/SDKs/logs. Limit to necessary signals. OCR’s bulletin stands; a 2024 court vacated portions for unauthenticated pages. Keep a conservative stance and monitor updates. OCR bulletin • Reuters

Checklist

Frequently Asked Questions

What is PHI in HIPAA?

Individually identifiable health information held or transmitted by a covered entity or business associate that relates to health, care, or payment. HHS

What are the 18 HIPAA identifiers?

See the list above. They include names, addresses smaller than a state, all elements of dates (except year), account numbers, URLs, IPs, biometric identifiers, full-face photos, and more. 45 CFR 164.514

Is an IP address PHI?

When collected by/for a CE/BA and linked to health info or patient interactions, treat IPs as identifiers. Track OCR and court updates. OCR

What is not PHI?

Data de-identified via Safe Harbor or Expert Determination. HHS

Who is covered by HIPAA?

Covered entities and their business associates. If neither applies, HIPAA does not. HHS

Conclusion

PHI is simple to define yet easy to mishandle. Use the 18-identifier checklist. Remove or protect identifiers. Keep controls tight—access, encryption, logging, vendor BAAs, and incident readiness. If you handle PHI at scale, configure least-privilege roles and audit trails in Tadabase to reduce risk and manual errors.