Protected Health Information (PHI): Everything You Need to Know about HIPAA and PHI

PHI, or protected health information, is any data in a medical record that can be used to identify a person and that was generated, utilized, or disclosed while a patient was receiving treatment or receiving a diagnosis.

PHI in medical records, including discussions about treatment between doctors and nurses, is, in other words, information that can be used to identify a specific person.

Billing information and other patient-identifiable data stored in a health insurance company’s computer system are also considered to be part of PHI.

The HIPAA (Health Insurance Portability and Accountability Act) defines protected health information as the category of patient information that is covered by the statute.

To be in compliance with the law, eHealth apps that gather, store, or share PHI must adhere to HIPAA compliance requirements.

Protected Health Information Includes

All individually identifiable health information, such as demographic data, medical histories, test results, insurance information, and other information used to identify a patient or offer healthcare services or healthcare coverage, falls under the category of protected health information. “Protected” denotes that the data is covered by the HIPAA Privacy Rule.

Health records are included in the definition of “protected health information” in the Code of Federal Regulations, but education records, which are covered by other federal laws, are not. Neither are records that are held by a HIPAA-covered entity and are associated with that entity’s capacity as an employer.

Protected health information does not include information that a covered business holds about an employee in its capacity as an employer; rather, it only includes information kept on the employee in its capacity as a healthcare provider.

Individually identifiable health information about people who have passed away for more than 50 years is not included in PHI.

Examples of PHI include:



Any dates (other than years) that are specifically tied to an individual, such as their birthday, the day they were admitted or released from a hospital, when they passed away, or their exact age if they are above 89.

Telephone number.

Fax number.

Email address.

Social Security number.

Medical record number.

Health plan beneficiary number.

Account number.

Certificate/license number.

Vehicle identifiers, serial numbers, or license plate numbers.

Device identifiers or serial numbers.

Web URLs.

IP address.

Biometric identifiers such as fingerprints or voice prints.

Full-face photos.

Any other unique identifying numbers, characteristics, or codes.