A hospital in Texas once faxed a patient's psychiatric records to the wrong physician's office — a solo practitioner across town who had nothing to do with the case. The fax sat in an open tray for three hours. That single sheet of paper contained a diagnosis, a Social Security number, a date of birth, and a treatment plan. Every line on it was protected health information under federal law. And the hospital didn't report the breach for four months.

If you've ever wondered what information is protected under HIPAA law, the answer goes far beyond medical records. It covers a sprawling category of data that most healthcare workers encounter dozens of times per shift — and that most organizations still mishandle in surprisingly basic ways.

I've spent years reviewing compliance programs, and the single biggest gap I see is staff who don't actually know what counts as protected information. They know HIPAA exists. They can't tell you what it covers. That gap is where breaches happen.

What Information Is Protected Under HIPAA Law: The Short Answer

HIPAA's Privacy Rule protects protected health information (PHI) — any individually identifiable health information that a covered entity or business associate creates, receives, maintains, or transmits. This includes information in any form: paper, electronic (ePHI), or oral.

PHI has two components that must exist together. First, the information must relate to a person's past, present, or future physical or mental health condition, the provision of healthcare, or the payment for healthcare. Second, it must identify the individual — or there must be a reasonable basis to believe it could identify them.

Remove both components and the data is no longer PHI. Keep even one identifier attached to health data, and HIPAA applies.

The 18 Identifiers That Make Health Data PHI

The U.S. Department of Health and Human Services (HHS) specifies 18 types of identifiers that, when linked to health information, create PHI. I've watched compliance officers gloss over this list in training. That's a mistake. Here they are:

  • Names
  • Geographic data smaller than a state (street address, city, zip code)
  • All dates directly related to an individual (birth date, admission date, discharge date, date of death) — and all ages over 89
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers (including license plates)
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

That last one is the catch-all. It means if your organization creates an internal patient code and links it to health data, HIPAA still applies. There's no loophole.

Why IP Addresses and URLs Surprise People

Most clinicians I train don't expect IP addresses or web URLs on this list. But think about patient portals, telehealth platforms, and online appointment scheduling. When a patient logs in and that session captures their IP address alongside a diagnosis code, you have ePHI. Your IT team needs to understand this. Your front desk staff might not need the technical details, but your security officer absolutely does.

It's Not Just Medical Records

Here's where organizations get tripped up. PHI doesn't live only in a patient's chart. It shows up in places your staff might never consider:

  • Billing records — A claim submitted to a health plan contains diagnosis codes, patient names, dates of service, and account numbers. All PHI.
  • Appointment schedules — A printed schedule on a nurse's station showing patient names and visit reasons is PHI sitting in the open.
  • Voicemails — A callback message that mentions a patient's name and prescription refill is oral PHI.
  • Emails — A physician emailing a colleague about a patient using the patient's name creates ePHI the moment it hits the server.
  • Insurance explanation of benefits (EOBs) — These contain service dates, provider names, and payment amounts tied to an individual.

I've seen a dental practice fined after an employee posted a photo on social media that included a whiteboard in the background showing a patient schedule. Names, procedures, appointment times — all visible. All PHI. All preventable.

The $4.3 Million Lesson From MD Anderson

The University of Texas MD Anderson Cancer Center learned the hard way that ePHI on unencrypted devices counts. OCR investigated after three data breaches involving an unencrypted laptop and two unencrypted USB drives. The devices contained ePHI for over 33,000 individuals. In 2018, an administrative law judge upheld $4.3 million in penalties.

MD Anderson argued it had encryption policies. OCR countered that having a policy you don't enforce is the same as having no policy. The data on those devices — names, diagnoses, treatment information, Social Security numbers — was textbook PHI. The devices lacked the safeguards ePHI demands.

If your organization stores any of the 18 identifiers alongside health data on laptops, USB drives, mobile phones, or cloud platforms, you are holding ePHI. The HIPAA Security Rule requires administrative, physical, and technical safeguards for every bit of it.

What HIPAA Does NOT Protect

Understanding what falls outside HIPAA's scope matters just as much. HIPAA's protections apply to covered entities (health plans, healthcare clearinghouses, and healthcare providers who transmit information electronically) and their business associates.

HIPAA does not cover:

  • Health information held by employers in employment records (your HR file with sick notes is generally not PHI under HIPAA)
  • Data collected by fitness trackers, wellness apps, or consumer health devices — unless a covered entity is involved
  • Information a patient shares on a public social media post about their own condition
  • Education records covered under FERPA
  • Law enforcement records held by covered entities acting in a law enforcement capacity

This is a critical distinction. A patient's Fitbit data isn't PHI. But if that same patient's wearable data feeds into a physician's EHR system as part of a treatment plan, it becomes PHI the moment the covered entity touches it.

De-Identification: When PHI Stops Being PHI

HIPAA provides two methods for stripping data of its protected status. Under the Safe Harbor method, you remove all 18 identifiers and confirm there's no reasonable basis to re-identify the individual. Under the Expert Determination method, a qualified statistical expert certifies the risk of identification is very small.

Once data is properly de-identified, HIPAA's restrictions no longer apply. But "properly" is doing heavy lifting in that sentence. I've reviewed datasets that organizations claimed were de-identified but still contained zip codes narrowed to three-digit prefixes in areas with small populations — a clear violation of Safe Harbor requirements.

State Laws Can Expand What's Protected

HIPAA sets the federal floor, not the ceiling. Several states add protections that go beyond what federal law requires. Texas is a prime example. The Texas Medical Records Privacy Act (HB 300) imposes stricter consent requirements for the use and disclosure of PHI and applies to a broader range of entities than HIPAA does.

If your organization operates in Texas, you need workforce training that covers both federal and state requirements. Our Texas Medical Records Privacy Act (HB 300) training course walks your team through exactly where state law adds obligations beyond HIPAA. Ignoring state-level protections is a compliance gap I see constantly — and one that regulators are increasingly willing to punish.

OCR enforcement actions almost always trace back to workforce failures. Someone didn't know a fax number was an identifier. Someone left a laptop in a car. Someone emailed a spreadsheet of patient billing data to a personal Gmail account.

The Privacy Rule at 45 CFR Part 164 Subpart E requires covered entities to train all workforce members on PHI policies and procedures. "All" means everyone — clinicians, billing staff, janitorial crews, IT contractors, volunteers. If they can access or encounter PHI, they need training.

Generic annual training doesn't cut it anymore. Your workforce needs to understand the 18 identifiers, know what forms PHI takes in your specific environment, and recognize when they're handling it. Our full catalog of HIPAA compliance courses is built around exactly that kind of practical, role-specific education.

The Breach Notification Trigger You Can't Ignore

When PHI is improperly accessed, used, or disclosed, HIPAA's Breach Notification Rule kicks in. Covered entities must notify affected individuals within 60 days. Breaches affecting 500 or more individuals require notification to HHS and prominent media outlets in the state.

Every single breach starts with PHI. No PHI exposure, no breach. That's why understanding what information qualifies as protected isn't an academic exercise — it's the foundation of your entire compliance program. Get it wrong and you won't just face OCR penalties. You'll face lawsuits, reputational damage, and the operational chaos that comes with a reportable breach.

Start With the Basics and Get Them Right

I've audited organizations with six-figure compliance budgets that still had staff who couldn't name more than three of the 18 identifiers. The fix isn't more spending — it's more specificity. Train your people on exactly what PHI looks like in their daily workflow. Audit where PHI lives in your systems. Map every place it moves.

Knowing what information is protected under HIPAA law isn't the finish line. It's the starting line. Everything else — your risk assessments, your access controls, your incident response plans — depends on your team understanding this foundational concept cold. No ambiguity. No guessing.

Get the foundation wrong and nothing built on top of it holds.