In 2023, OCR settled with a New England dermatology practice for $300,640 after an investigation revealed the organization had failed to properly safeguard patient records containing names, Social Security numbers, and diagnosis codes — all categories of data that qualify as protected health information. The case underscored a compliance gap I see repeatedly: organizations that assume PHI is limited to medical records, when in reality, HIPAA privacy rules include PHI such as a far broader set of data elements than most workforce members realize.

What the Privacy Rule Actually Defines as PHI

Under 45 CFR §160.103, protected health information is any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. The critical phrase is "individually identifiable" — it means the information either directly identifies a person or provides a reasonable basis for identification.

PHI is not limited to clinical notes or lab results. It encompasses any data element that connects an individual to their health condition, healthcare provision, or payment for healthcare services. If you can link the information back to a specific person, you are almost certainly handling PHI.

HIPAA Privacy Rules Include PHI Such As These 18 Identifiers

The HIPAA Privacy Rule, through its de-identification standard at 45 CFR §164.514(b)(2), specifies exactly 18 types of identifiers that make health information individually identifiable. Your organization must treat all of these as PHI when they appear alongside health data:

  • Names — full legal name, maiden name, aliases
  • Geographic data — street address, city, county, ZIP code (ZIP codes with populations under 20,000 are especially sensitive)
  • Dates — birth date, admission date, discharge date, date of death, and all ages over 89
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate or license numbers
  • Vehicle identifiers and serial numbers (including license plates)
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (fingerprints, voiceprints, retinal scans)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

That final catch-all category is deliberately broad. OCR has made clear that this list is a floor, not a ceiling. If a data element can reasonably be used to identify a patient, it should be treated as PHI.

The PHI Categories Your Workforce Likely Overlooks

In my work with covered entities, the most common blind spots involve IP addresses, device identifiers, and photographs. Front-desk staff may not consider a patient's emailed selfie as PHI. IT teams may not flag server logs containing IP addresses tied to patient portal sessions. Yet each of these qualifies under the Privacy Rule.

Appointment scheduling systems present another risk. A calendar entry showing a patient's name, date, and department visited — say, oncology — creates PHI even though it contains no clinical notes. The combination of an identifier plus a healthcare context triggers HIPAA protection.

Organizations that invest in comprehensive HIPAA training and certification for their workforce dramatically reduce these knowledge gaps. When every team member — from billing clerks to software developers — understands the full scope of PHI, accidental disclosures drop significantly.

How the Minimum Necessary Standard Applies to PHI

Knowing what qualifies as PHI is only half the equation. The minimum necessary standard under 45 CFR §164.502(b) requires your organization to limit PHI access, use, and disclosure to the minimum amount needed to accomplish the intended purpose.

This means your covered entity must implement role-based access controls. A billing specialist needs account numbers and procedure codes, not psychiatric notes. A referral coordinator needs demographic data, not full treatment histories. Applying the minimum necessary standard to every PHI category listed above is a regulatory requirement, not a best practice.

PHI Obligations Extend to Every Business Associate

Since the Omnibus Rule of 2013, business associates are directly liable for HIPAA violations involving PHI. If your organization shares any of the 18 identifiers with a third-party vendor — a cloud hosting provider, a billing company, a shredding service — that vendor must execute a business associate agreement and comply with the Security Rule and Privacy Rule.

OCR's enforcement record backs this up. In recent years, penalties against business associates have increased substantially, including a $4.3 million settlement with a business associate in 2023 for failing to conduct an adequate risk analysis. Your vendor management program must account for every category of PHI that flows outside your organization's walls.

Risk Analysis Must Account for All PHI Types

The Security Rule at 45 CFR §164.308(a)(1) requires a thorough and accurate risk analysis. That analysis must identify where every form of PHI — not just EHR data — is created, received, stored, and transmitted across your environment.

I consistently find that organizations map their EHR system but neglect voicemail systems storing patient phone messages, copiers with hard drives that cache faxed records, or employee smartphones used to photograph wound sites. Every one of those locations holds PHI and must appear in your risk analysis.

Your Notice of Privacy Practices Must Reflect PHI Realities

Your Notice of Privacy Practices informs patients about how their PHI will be used and disclosed. If your notice references only "medical records" without addressing the broader categories — biometric data collected at check-in kiosks, IP addresses from telehealth sessions, photographs taken during treatment — you may be providing an incomplete notice.

Review your notice annually to ensure it reflects the actual PHI your organization handles. As telehealth, remote monitoring, and AI-driven diagnostics expand, the types of PHI you collect will continue to grow.

Build a Workforce That Recognizes PHI in Every Form

Every HIPAA violation involving PHI starts with a person who did not recognize the data they were handling. OCR enforcement actions consistently cite insufficient workforce training as a contributing factor. The fix is not a once-a-year slide deck — it is ongoing, role-specific education that teaches employees to identify PHI in context.

If your organization needs a structured approach, HIPAA Certify's workforce compliance program delivers exactly that: practical training calibrated to how your teams actually encounter protected health information in daily operations.

The scope of PHI under HIPAA is wider than most organizations assume, and OCR expects you to protect every identifier, in every format, across every system. Map it, train on it, and build controls around it — because the next enforcement action will not accept ignorance as a defense.