A surgeon's scheduling whiteboard in a busy hallway. A screenshot of a patient portal texted between nurses. A spreadsheet of lab results emailed to the wrong clinic. Every one of these contains protected health information — and every one of these has led to an OCR investigation. If you're searching for examples of PHI under HIPAA, you're asking the right question, because the answer is far broader than most people expect.

PHI doesn't just live in medical records. It hides in appointment reminders, billing invoices, voicemails, and even the metadata in a digital image. Understanding what qualifies — with real, concrete examples — is the first step toward keeping your organization out of HHS enforcement crosshairs.

What Is PHI? The Definition That Trips Everyone Up

Protected health information, or PHI, is any individually identifiable health information that a covered entity or its business associate creates, receives, maintains, or transmits. That's the textbook answer from HHS's Privacy Rule guidance. But the part most people miss is the word individually identifiable.

A diagnosis alone isn't PHI. A name alone isn't PHI. But combine a diagnosis with a name, a date of birth, or a zip code — and you've crossed the line. PHI is the intersection of health data and identity.

When that information exists in electronic form, it becomes ePHI, and the HIPAA Security Rule kicks in with its own set of administrative, physical, and technical safeguard requirements.

The 18 HIPAA Identifiers: Your Complete Checklist

The Privacy Rule spells out 18 specific identifiers. If any of these are linked to health information, you're looking at PHI. Here they are:

  • Names
  • Geographic data smaller than a state (street address, city, zip code)
  • All dates directly related to an individual (birth date, admission date, discharge date, date of death) — except year alone for individuals over 89
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate or license numbers
  • Vehicle identifiers and serial numbers (including license plate numbers)
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

That last one is the catch-all, and it's intentionally broad. If your organization assigns a unique patient code and links it to clinical data, that code is an identifier under HIPAA.

Real-World Examples of PHI That Catch People Off Guard

Most workforce members know that a patient chart is PHI. The violations I've seen don't come from the obvious places. They come from the mundane, everyday workflows nobody thinks to audit.

The Appointment Reminder

A postcard that says "Reminder: Follow-up for your cardiac catheterization on March 15" combines a patient's name (on the mailing label), a date, and a diagnosis. That's three identifiers plus health information. PHI.

The Billing Statement

An invoice sent to a patient listing CPT codes, the provider's name, and the patient's account number contains PHI. When a medical billing company misroutes these to the wrong address, it triggers a breach notification obligation.

The Staff Group Chat

A nurse texts a colleague: "Room 212, Mrs. Rodriguez, needs her Metformin dose adjusted." That message contains a name, a location within the facility, and medication information. It's PHI — and if it's on a personal, unencrypted device, it's a Security Rule violation waiting to happen. Our HIPAA training for nurses and clinical workflows walks through exactly these scenarios.

The After-Visit Summary Left on a Printer

Printed documents sitting on a shared printer in a common area are physical PHI exposed to unauthorized access. I've seen covered entities receive corrective action plans from OCR over exactly this kind of carelessness.

The Research Database

A spreadsheet containing patient initials, dates of service, and diagnosis codes still qualifies as PHI unless it has been properly de-identified under the Privacy Rule's Safe Harbor or Expert Determination methods.

What Doesn't Count as PHI?

Not everything with a patient's name on it is PHI. Context matters. Here are some common items that do not qualify:

  • Employment records held by a covered entity in its role as an employer — like a staff member's sick-day form
  • Education records covered under FERPA
  • De-identified data that has had all 18 identifiers stripped following the methods outlined in HHS's de-identification guidance
  • Health information not held by a covered entity or business associate — for instance, your personal fitness tracker data (though other privacy laws may apply)

The critical distinction: the same data element can be PHI in one context and not in another. A name on a gym membership list isn't PHI. That same name on a hospital discharge summary absolutely is.

The $1.5 Million Mistake: When PHI Examples Become Enforcement Cases

In 2018, OCR settled with Cottage Health for $3 million after ePHI — including patient names, addresses, dates of birth, diagnoses, and Social Security numbers — was exposed online due to a misconfigured server. Every single one of those data elements appears on the 18-identifier list above.

Earlier, in 2016, Advocate Health Care paid $5.55 million — one of the largest HIPAA settlements ever — after unencrypted laptops containing ePHI were stolen. The laptops held names, addresses, dates of birth, and clinical information for approximately 4 million individuals. The lesson: PHI on an unencrypted portable device is a ticking clock.

These aren't theoretical scenarios. They're real enforcement actions documented on OCR's enforcement page. And in both cases, the organizations knew what PHI was — they just failed to protect it in practice.

How Many HIPAA Identifiers Make Something PHI?

This is the question I get asked most often by compliance officers: "How many identifiers does it take?" The answer is one. A single identifier connected to health information creates PHI. You don't need a name and a date of birth and a Social Security number. One identifier plus health data crosses the threshold.

That's why an IP address logged alongside a telehealth session record is PHI. It's why a device serial number associated with a home health monitoring reading is PHI. The bar is deliberately low.

Protecting PHI Across Your Entire Workforce

Knowing the examples of PHI under HIPAA is only useful if your workforce can recognize them in real time. And "workforce" under HIPAA doesn't just mean employees — it includes volunteers, trainees, and anyone under your organization's direct control.

Training That Goes Beyond Definitions

I've reviewed dozens of training programs that teach the 18 identifiers as a list to memorize. That approach fails. Your staff needs scenario-based training — the kind that puts them in a simulated hallway conversation or a mock email thread and asks, "Is this PHI? What do you do next?"

That's why we built our HIPAA training catalog around realistic clinical and administrative scenarios, not just regulatory definitions. Your front desk staff faces different PHI risks than your IT team. Train them accordingly.

Access Controls and Minimum Necessary

Even when your team recognizes PHI, the Privacy Rule's minimum necessary standard requires that they access only the PHI needed for their specific job function. A billing clerk doesn't need to see clinical notes. A scheduler doesn't need to see lab results. Role-based access controls should enforce this automatically.

Incident Response When PHI Leaks

When PHI is disclosed improperly — whether through a misdirected fax, a lost USB drive, or a ransomware attack — HIPAA's Breach Notification Rule gives you a 60-day window to notify affected individuals, HHS, and in some cases, the media. The clock starts when the breach is discovered, not when it occurred. Fast identification of what qualifies as PHI determines your entire response timeline.

Your PHI Audit Should Start Here

Pull up your organization's last risk analysis. Look at every system, workflow, and communication channel your workforce uses. Then ask one question for each: "Does this touch any of the 18 identifiers in combination with health information?"

If the answer is yes — or even maybe — you've found PHI. And you've found your next compliance priority.

The organizations that avoid seven-figure settlements aren't the ones with the best lawyers. They're the ones whose receptionists, nurses, and IT staff can spot PHI in a parking lot conversation, a fax cover sheet, or a system log — and know exactly what to do about it.