What exactly is considered PHI according to HIPAA?

What exactly is considered PHI according to HIPAA?What exactly is considered PHI according to HIPAA?
Rebecca KappelRebecca Kappel Staff asked 2 months ago

1 Answers
Rebecca KappelRebecca Kappel Staff answered 2 months ago

Protected Health Information (PHI)

Protected Health Information (PHI) under HIPAA encompasses individually identifiable health information transmitted or maintained by covered entities under HIPAA or business associates. PHI HIPAA protection includes any data on an individual’s past, present, or future physical or mental health condition, healthcare provision, or payment for healthcare services. Examples range from diagnoses, treatment information, and medical test results to insurance policy details and claims information.

What isn’t PHI? 

Certain scenarios exist where health-related data, despite being personally identifiable, aren’t classified as PHI under HIPAA. For instance, research studies may utilize health-related information containing personal identifiers such as names or addresses. Still, if such data aren’t associated with healthcare service events or entered into medical records, they’re categorized as “research health information” (RHI) exempt from HIPAA regulations. Notably, other human subjects protection regulations still apply to such data.

Examples of RHI

Examples of research utilizing only RHI include aggregated (non-individual) data, diagnostic tests without results entered into medical records or disclosed to subjects, and testing without PHI identifiers. Specific genetic basic research, such as identifying potential genetic markers, may also fall into this category. However, genetic testing for known diseases, integral to diagnosis, treatment, and healthcare, constitutes PHI and is thus subject to HIPAA.

The 18 HIPAA Patient Identifiers

Additionally, it’s essential to understand the 18 identifiers specified by HIPAA, which render it HIPAA-protected health information.


  1. Names
  2. All geographical subdivisions smaller than a State, such as street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code under specific conditions outlined by the Bureau of the Census
  3. All elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89, as well as any elements of dates indicative of such age, except when aggregated into a single category of age 90 or older
  4. Phone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social Security numbers
  8. Medical record number
  9. Health plan beneficiary numbers
  10. Account number
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address number
  16. Biometric identifiers, including finger and voice prints
  17. Full-face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code, excluding the unique code assigned by the investigator to code the data

Real-Life-Illustration of PHI

Consider a scenario where a healthcare provider, Dr. Smith, treats a patient, Sarah. During a routine check-up, Sarah mentions her recent diabetes diagnosis. Dr. Smith records this information in Sarah’s medical file.

In this scenario:

  • “Diabetes diagnosis” is health information.
  • “Sarah has been diagnosed with diabetes” is individually identifiable health information.
  • If Dr. Smith’s office records “Sarah has been diagnosed with diabetes,” both the identifier (“Sarah”) and the health information (“diabetes diagnosis”) are considered protected health information under HIPAA.

Related Content

AI Auditing

AI Auditing

What is an AI Audit? AI audits determine whether an AI system and its supporting algorithms…
Data Exfiltration

Data Exfiltration

What Is Data Exfiltration? Data exfiltration is the unauthorized removal or moving of data from or…
Data Sovereignty

Data Sovereignty

What is Data Sovereignty? Data sovereignty asserts that digital data is subject to the laws of…
Skip to content