In 2023, OCR settled with a dental practice for $350,000 after an investigation revealed the organization had disclosed patient records without authorization — in part because staff couldn't accurately identify what qualified as protected health information. The case underscored a fundamental gap: if your workforce doesn't know what PHI actually is, every other safeguard you build is compromised. So under HIPAA law what is the best description of PHI, and why does getting this definition right matter so much to your compliance program?

Under HIPAA Law What Is the Best Description of PHI: The Regulatory Answer

The Privacy Rule at 45 CFR § 160.103 defines protected health information as individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate — in any form or medium, whether electronic, paper, or oral.

That definition has three essential components. First, the information must relate to a person's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare. Second, it must identify — or provide a reasonable basis to identify — the individual. Third, it must be held or touched by a covered entity or its business associate.

If any one of those three elements is missing, the data does not meet the regulatory definition of PHI. A hospital's aggregate infection rate statistics, stripped of all identifiers, are not PHI. But the moment you can link a diagnosis to a specific patient, you've crossed the line.

The 18 Identifiers That Transform Health Data into PHI

OCR and the Privacy Rule specify 18 types of identifiers that, when combined with health information, create PHI. Healthcare organizations consistently underestimate how broad this list is. It includes:

  • Names
  • Geographic data smaller than a state
  • All dates (except year) related to an individual — birth dates, admission dates, discharge dates, dates of death
  • Phone numbers, fax numbers, email addresses
  • Social Security numbers
  • Medical record numbers and health plan beneficiary numbers
  • Account numbers and certificate/license numbers
  • Vehicle identifiers, serial numbers, and device identifiers
  • Web URLs and IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

If your organization removes all 18 identifiers following the Safe Harbor method under 45 CFR § 164.514(b), the remaining data is considered de-identified and no longer subject to the Privacy Rule. But partial de-identification is not de-identification — and OCR has pursued enforcement actions where organizations mistakenly believed redacting a name alone was sufficient.

Why the "Any Form or Medium" Language Changes Everything

In my work with covered entities, I find that many compliance officers focus almost exclusively on electronic protected health information (ePHI) because the Security Rule at 45 CFR Part 164, Subparts A and C, sets technical safeguards for digital data. But the Privacy Rule's definition of PHI explicitly covers oral and paper formats as well.

A nurse discussing a patient's diagnosis within earshot of a waiting room is handling PHI. A printed lab result left on a shared printer is PHI. A voicemail from a specialist referencing a patient's condition is PHI. Your organization must account for every medium in its risk analysis and workforce training — not just what sits inside your EHR.

PHI vs. Health Information vs. PII: Clearing Up the Confusion

Health information that cannot be linked to an individual is not PHI. Personally identifiable information (PII) that has no health component — like a mailing list of gym members — is not PHI either. PHI exists only at the intersection: health-related data that identifies or could identify a specific person, held by a covered entity or business associate.

This distinction matters for the minimum necessary standard under 45 CFR § 164.502(b). Your organization must limit PHI disclosures to only the minimum amount needed for a given purpose. If staff can't distinguish PHI from general information, they cannot apply this standard correctly.

What Happens When Your Workforce Gets the Definition Wrong

OCR's enforcement history shows a pattern: HIPAA violations often begin with employees who don't recognize PHI when they see it. Misdirected faxes, improper disposal of paper records, casual conversations in public areas — each of these becomes a potential breach when staff lack a clear, operational understanding of what PHI includes.

Between 2003 and 2024, OCR has secured over $142 million in HIPAA enforcement settlements and civil monetary penalties. Many of those cases trace back to failures in basic workforce awareness. Under 45 CFR § 164.530(b), covered entities are required to train all workforce members on policies and procedures related to PHI — and that training must be more than a checkbox exercise.

Investing in comprehensive HIPAA training and certification ensures every member of your workforce can identify PHI in all its forms and apply the Privacy Rule's requirements in daily operations.

Practical Steps to Reinforce the PHI Definition Across Your Organization

Start by auditing where PHI exists — not just in your EHR, but in email systems, paper files, voicemail, mobile devices, and third-party platforms. Map every location where individually identifiable health information is created, received, maintained, or transmitted.

Next, update your Notice of Privacy Practices and internal policies to use the regulatory definition of PHI consistently. Ambiguous language in your policies leads to ambiguous behavior on the floor.

Then, build scenario-based training that forces staff to classify real-world examples: Is a patient's appointment time PHI? (Yes, if linked to the patient.) Is an aggregate report of surgeries performed last quarter PHI? (Not if fully de-identified.) These practical exercises create durable understanding.

Finally, ensure your business associate agreements explicitly define PHI and establish that associates are bound by the same standards. Under the Omnibus Rule of 2013, business associates face direct liability for HIPAA violations — and they need the same clarity on PHI that your internal workforce has.

Make the Definition Operational, Not Theoretical

Knowing under HIPAA law what is the best description of PHI is not an academic question — it's the foundation of every privacy safeguard, every access control, and every breach risk assessment your organization performs. If your team can't define PHI accurately, your entire compliance program has a structural weakness.

Strengthen that foundation now. HIPAA Certify's workforce compliance platform gives your team the regulatory knowledge and practical tools to identify, protect, and properly handle protected health information — in every form, across every workflow, every day.