Overview —

What Counts as PHI Under HIPAA?

PHI includes any identifiable health info—names, records, photos—requiring safeguards under HIPAA and related standards.

Share this article

Contents

No headings found on page

Understanding Protected Health Information (PHI)

A patient's name, by itself, is not PHI. It only becomes PHI once it sits alongside health, treatment, or payment information in the same designated record set, held by a covered entity or business associate. This combination test — health information plus an identifier plus covered custody — is the actual definition, and it matters more than any list of data types, because a list alone makes PHI sound broader or narrower than it actually is depending on context.

The Combination, Not the List

PHI is individually identifiable health information: information relating to an individual's past, present, or future physical or mental health, the provision of healthcare, or payment for healthcare — that's identifiable, meaning it includes or can be combined with other information to identify a specific person — created, received, maintained, or transmitted by a covered entity or business associate. Drop any one piece of that and it's not PHI: health information with no identifier attached isn't PHI; an identifier with no health information attached isn't PHI; health information and an identifier held by an organization that isn't a covered entity or business associate isn't PHI under HIPAA (though it may be protected by other laws).

The 18 Identifiers

These identifiers are technically defined in the context of de-identification (45 CFR §164.514) — they're what has to be removed for data to qualify as de-identified under the Safe Harbor method — but in practice, they function as the working list of what makes health information identifiable in the first place:

  1. Names

  2. Geographic subdivisions smaller than a state (street address, city, county, precinct, zip code — with a specific exception: the first three digits of a zip code may be kept if the combined population of all zip codes sharing those digits exceeds 20,000; otherwise those digits must be changed to 000)

  3. All elements of dates more specific than year, for dates directly related to an individual (birth date, admission date, discharge date, date of death) — with ages over 89 and their associated dates requiring removal entirely, replaceable only with "90 or older"

  4. Phone numbers

  5. Fax numbers

  6. Email addresses

  7. Social Security numbers

  8. Medical record numbers

  9. Health plan beneficiary numbers

  10. Account numbers

  11. Certificate or license numbers

  12. Vehicle identifiers and serial numbers

  13. Device identifiers and serial numbers

  14. URLs

  15. IP addresses

  16. Biometric identifiers, including fingerprints and voiceprints

  17. Full-face photographs and comparable images

  18. Any other unique identifying number, characteristic, or code

These apply not just to the patient but to the patient's relatives, employers, and household members named in the same record.

Identifiers Most People Don't Expect

Two items on this list surprise people most often, and they're worth flagging directly because they're increasingly relevant to digital health products: IP addresses (#15) and device identifiers (#13). A patient portal's server logs that pair an IP address with health information constitute ePHI — which is exactly why analytics tools, advertising pixels, and third-party scripts embedded in patient-facing applications need careful evaluation, since they can inadvertently create PHI through this combination without anyone intending it. Similarly, a medical device's serial number, paired with a billing record and a manufacturer's registry, can identify a specific patient even without a name attached.

The Designated Record Set

PHI's full scope is also shaped by the concept of a designated record set — the group of medical and billing records a covered entity maintains and actually uses to make decisions about an individual. An individual generally has access and amendment rights specifically to information within their designated record set, not to every piece of data an organization happens to hold about them in some other context. A single individual can have multiple designated record sets across different providers or departments, each potentially subject to different access controls under the minimum necessary standard.

What Falls Outside PHI

A few categories are explicitly outside PHI's scope, several of which are covered in more depth in What HIPAA Doesn't Cover: Understanding HIPAA Exceptions:

  • Properly de-identified data, under either the Safe Harbor or Expert Determination method

  • Employment records held by a covered entity in its role as employer, not as healthcare provider

  • Education records governed by FERPA

  • Health information held by non-covered entities — a fitness app's data isn't PHI unless the app itself is a covered entity or business associate

  • Information about individuals deceased for more than 50 years

PHI in Every Form

The definition applies regardless of medium — electronic, paper, or spoken aloud. This matters specifically because the Security Rule's technical safeguards apply only to electronic PHI; paper records and verbal disclosures remain governed by the Privacy Rule's access, disclosure, and retention requirements, but not by the Security Rule's encryption and access-control mechanics. A compliance program built entirely around securing electronic systems while treating paper records and verbal practices as an afterthought addresses only part of what the Privacy Rule actually requires.

Why This Definition Has to Come First

Every other page in this cluster — risk assessment scope, minimum necessary determinations, breach risk assessment, BAA coverage — depends on correctly identifying what counts as PHI in a given system or process. Getting this combination test wrong in either direction creates real problems: treating non-PHI as PHI adds unnecessary compliance overhead to data that doesn't need it, while missing a genuine combination (an IP address quietly paired with health data in a log file nobody thought to classify) creates an actual, unaddressed compliance gap.

For how this definition determines whether your organization is even covered by HIPAA in the first place, see Who Must Comply with HIPAA?

In the Spotlight

Start your HIPAA compliance journey with DSALTA's complete checklist.

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive health information. Any organization handling protected health information (PHI)— from hospitals to SaaS vendors serving healthcare—must comply.

HIPAA compliance may feel overwhelming, but with DSALTA®’s automation, you can reduce manual work, continuously monitor safeguards, and stay prepared for audits. This checklist outlines the essential steps to meet HIPAA requirements.

Read more about HIPAA compliance with DSALTA.

Stop losing deals to compliance.

Get compliant. Keep building.

Join 100s of startups who got audit-ready in days, not months.