What is Protected Health Information (PHI)?

PHI stands for Protected Health Information. 

PHI is protected under the Health Insurance Portability and Availability Act (HIPAA), and includes any health data created, transmitted, or stored by a HIPAA-covered entity and its business associates. It includes electronic records (ePHI), written records, lab results, x-rays, bills — even verbal conversations that include personally identifying information. 

PHI is protected by the HIPAA Privacy Rule, which requires covered entities and their business associates to establish safeguards to maintain the security and confidentiality of protected health information. 

The US Department of Health and Human Services (HHS) defines 18 key identifiers that determine whether the information is classified as PHI:

  • Names
  • Identifying geographic information, including addresses or ZIP codes
  • Dates (except for the year) that relate to birth, death, admission, or discharge
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate numbers
  • Vehicle identifiers, such as license plates or VIN numbers
  • Device identifiers and serial numbers
  • Web addresses
  • IP addresses
  • Biometric data such as fingerprints or retina scans
  • Full face images
  • Any other information that could potentially identify an individual, including for current and planned medical situations like prognoses, treatment or rehabilitation plans, or mental health evaluations