Last updated: February 2, 2026

Summary: PHI (protected health information) is individually identifiable health information held or transmitted by a HIPAA covered entity or business associate. Health data becomes PHI when it is linked to identifiers like names, addresses smaller than a state, dates (except year), account numbers, IP addresses, or images. Data can be de-identified under HIPAA using Safe Harbor or Expert Determination.

Safeguarding PHI is not just compliance. It is how healthcare earns trust. Use this guide for a precise PHI definition, HIPAA’s 18 identifiers, quick “is it PHI?” answers, practical examples, de-identification rules, safeguards, and a reference section for builders and compliance teams.

Quick answers

What does PHI stand for in healthcare

In HIPAA context, PHI stands for protected health information.

What is PHI

PHI is individually identifiable health information created, received, maintained, or transmitted by a HIPAA covered entity or its business associate.

What makes something PHI

Health information becomes PHI when it is linked to a person through identifiers like name, address smaller than a state, dates (except year), account numbers, device identifiers, IP address, or full-face photos.

What are the 18 HIPAA identifiers

HIPAA lists 18 identifiers used in the Safe Harbor de-identification method. If any of these identifiers are linked to health information in a covered entity or business associate context, treat the data as PHI.

Is de-identified data still PHI

Not if you meet HIPAA’s de-identification standard using Safe Harbor or Expert Determination.

What is PHI

Definition: Protected health information (PHI) is individually identifiable health information that relates to a person’s past, present, or future physical or mental health or condition, the provision of health care, or payment for health care, when created, received, maintained, or transmitted by a HIPAA covered entity or its business associate.

Official sources: HHS overview · 45 CFR 160.103

Practical rule: If it is about health, care, or payment and it can identify the person directly or indirectly, treat it as PHI.

Who HIPAA applies to

HIPAA’s Privacy Rule and Security Rule apply to:

• Covered entities (certain health care providers, health plans, and clearinghouses)
• Business associates (vendors and subcontractors that create, receive, maintain, or transmit PHI on behalf of a covered entity)

If an organization is neither a covered entity nor a business associate, HIPAA typically does not apply to that organization’s data. Other privacy laws may still apply depending on the data and jurisdiction.

HIPAA’s 18 identifiers

HIPAA’s Safe Harbor method says data is de-identified only if you remove all 18 identifiers and have no actual knowledge the remaining information could identify the individual.

Official sources: HHS de-identification guidance · 45 CFR 164.514

1. Names
2. Geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code)
3. All elements of dates (except year) related to an individual (birth date, admission date, discharge date, date of death); ages over 89 must be aggregated to “90 or older”
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate or license numbers
12. Vehicle identifiers and serial numbers, including license plates
13. Device identifiers and serial numbers
14. Web URLs
15. IP address numbers
16. Biometric identifiers (fingerprints, voiceprints)
17. Full-face photos and comparable images
18. Any other unique identifying number, characteristic, or code (except a permitted re-identification code under HIPAA)

ZIP code Safe Harbor rule: You can keep only the first three digits of a ZIP code if the geographic unit (formed by combining all ZIP codes with those three initial digits) has more than 20,000 people. Otherwise, replace it with 000.

Is it PHI quick answers

PHI examples

Healthcare operations

• Treatment plan with a patient name, date of birth, diagnosis, and medication list
• Discharge summary with dates of service and provider details tied to a person
• Imaging file that includes identifiers in metadata (MRN, accession number)

Insurance and billing

• Explanation of Benefits (EOB) showing procedures linked to a patient
• Claims records with subscriber ID, account number, or authorization IDs tied to services

Technology contexts

• Patient portal logs with usernames, device identifiers, or IP addresses tied to appointments
• Telehealth recordings or transcripts linked to a patient profile
• Support tickets that include identifiable clinical or billing details

Related: Tadabase healthcare solutions · HIPAA workflow case study

PHI vs ePHI vs PII vs EHR

De-identification methods

HIPAA recognizes two lawful methods to de-identify PHI:

1. Safe Harbor: Remove all 18 identifiers and have no actual knowledge the remaining information could identify the person. Apply the ZIP code and 90+ age rules. HHS guidance · 45 CFR 164.514(b)(2)
2. Expert Determination: A qualified expert applies accepted statistical or scientific methods and documents that re-identification risk is very small. 45 CFR 164.514(b)(1)

Safe Harbor examples

What is not PHI

Common edge cases where HIPAA does not treat information as PHI:

• Employment records held by a covered entity in its role as employer (HR files)
• Education records covered by FERPA (certain student records)
• Consumer health apps that are not covered entities or business associates (other privacy laws may apply)
• Data properly de-identified using Safe Harbor or Expert Determination

Simple test: Is a covered entity or business associate creating, receiving, maintaining, or transmitting the information, and is it linked to a person and related to health, care, or payment?

How to safeguard PHI

1. Risk analysis and risk management: Identify threats to confidentiality, integrity, and availability of ePHI; review regularly and whenever major systems, vendors, or workflows change.
2. Access controls: Least privilege, role-based permissions, administrative controls, and periodic access reviews.
3. Audit controls: Log access and changes. Make logs searchable and exportable for audits and incident response.
4. Encryption and transmission security: Encrypt in transit and at rest. Clarify key management responsibilities.
5. Authentication: Require strong passwords and MFA for staff and administrators.
6. Workforce training: Train on privacy, phishing, and incident reporting. Repeat and document training.
7. Vendor management: Execute BAAs where required and validate vendor controls for your use case.
8. Incident response: Test response workflows and notification steps at least annually.
9. Web and mobile tracking technologies: Map pixels, SDKs, and logs. Limit to necessary signals and avoid collecting or sharing PHI. Review HHS OCR guidance and monitor updates.

Operational checklist

Notes for software and workflow builders

Many HIPAA failures happen in the workflows around care, not in the “compliance binder.” If you are building or buying tools that touch PHI, focus on enforceable access controls, auditability, and clean data flows.

• Role-based permissions so users only see what they should
• Audit trails for access, exports, and changes
• Least privilege admin controls and fast offboarding
• Secure integrations so PHI is not copied into non-HIPAA tools
• Vendor readiness including BAAs where required

Important: HIPAA compliance is shared responsibility. A platform can provide technical controls and, where applicable, a BAA, but you still need policies, training, and a real risk analysis for your environment.

Explore Tadabase healthcare and HIPAA-ready hosting options

Frequently asked questions

What is PHI in HIPAA

Individually identifiable health information held by a covered entity or business associate that relates to health, care, or payment.

What are the 18 HIPAA identifiers

They include names, geographic subdivisions smaller than a state, dates (except year), phone numbers, email addresses, MRNs, account numbers, URLs, IP addresses, biometrics, full-face photos, and more. See 45 CFR 164.514.

Is an IP address PHI

IP addresses are on the Safe Harbor identifier list. In a covered entity or business associate context, treat IP addresses linked to health-related interactions conservatively. See HHS OCR guidance.

What is not PHI

Data that is properly de-identified using Safe Harbor or Expert Determination is not PHI under HIPAA. Employment records held by a covered entity as an employer are also not PHI.

What is the difference between PHI and ePHI

PHI is protected health information in any form. ePHI is PHI in electronic form.

References

• HHS Covered entities overview
• HHS De-identification guidance
• 45 CFR 160.103 Definitions
• 45 CFR 164.514 De-identification and Safe Harbor
• HHS OCR Online tracking technologies guidance
  • Note: HHS OCR lists a court decision that vacated a portion of this guidance; check the page for the current status.

Conclusion

PHI is simple to define and easy to mishandle. Use the 18 identifiers as your fast checklist, then design workflows around least-privilege access, encryption, audit logs, vendor BAAs, and incident readiness. When you handle PHI at scale, the winning move is to build systems where people only see what they need and every access path is auditable.

Related reads:

• HIPAA compliance software
• Architecting for HIPAA
• HIPAA solutions and hosting option