A Faxed Lab Report Sent to the Wrong Number Started It All

A nurse at a mid-size clinic in Minnesota faxed a patient's HIV test results to a number one digit off from the referring physician's office. The pages landed on a break room fax machine at a local car dealership. Within hours, the patient's name, date of birth, diagnosis, and Social Security number were sitting on a counter next to someone's lunch.

That single misfax contained at least four distinct PHI examples HIPAA requires every covered entity to protect. And the clinic had no fax verification protocol in place. I've seen this exact scenario play out more times than I'd like to admit.

If you've ever wondered what actually counts as protected health information — and more importantly, what real consequences follow when it's exposed — this post breaks it down with specifics, not theory.

What Exactly Is PHI Under HIPAA?

Protected health information, or PHI, is any individually identifiable health information that a covered entity or business associate creates, receives, maintains, or transmits. It includes data in any form — paper, electronic (ePHI), or oral.

The key word is individually identifiable. A diagnosis code sitting alone in a spreadsheet with no way to tie it back to a person isn't PHI. The moment you attach a name, a medical record number, or even a zip code to that code, it becomes PHI — and every HIPAA rule applies.

HHS defines PHI broadly under 45 CFR §160.103, and that breadth catches organizations off guard every day.

The 18 PHI Identifiers: The Definitive List With Real Examples

The HIPAA Privacy Rule specifies 18 identifiers that make health information individually identifiable. Here's every one of them, with a concrete example of how each shows up in a healthcare workflow.

1. Names

Full name, maiden name, alias. "Maria Torres" on a prescription label is PHI.

2. Geographic Data Smaller Than a State

Street addresses, city, county, zip code, equivalent geocodes. A discharge summary listing "123 Oak Street, Nashville" qualifies.

Birth date, admission date, discharge date, date of death. An intake form stamped "DOB: 04/12/1988" is PHI the instant it's linked to a patient record.

4. Telephone Numbers

A callback number left in a voicemail about a patient's test results? That's PHI.

5. Fax Numbers

The clinic in Minnesota I mentioned earlier learned this the hard way. Fax cover sheets with patient names and fax numbers are PHI.

6. Email Addresses

Patient portal messages, appointment confirmations — any email tied to health information.

7. Social Security Numbers

Still used in some legacy billing systems. I've seen SSNs embedded in insurance claim records that staff assumed were internal-only.

8. Medical Record Numbers

Your EHR assigns these automatically. They're PHI even when the patient name is stripped if they can be cross-referenced.

9. Health Plan Beneficiary Numbers

The member ID on an insurance card ties directly to an individual's health plan and claims history.

10. Account Numbers

Patient billing account numbers used across revenue cycle management systems.

11. Certificate/License Numbers

A patient's driver's license number scanned during registration is PHI when stored alongside clinical data.

12. Vehicle Identifiers and Serial Numbers

Rare in clinical settings, but ambulance run reports sometimes include vehicle plate numbers tied to accident victims.

13. Device Identifiers and Serial Numbers

A pacemaker's serial number linked to a patient chart? That's PHI.

14. Web URLs

A patient portal URL containing a unique patient parameter is PHI. So is a personal health blog URL recorded in a case file.

15. IP Addresses

Server logs that capture IP addresses alongside patient portal activity count as ePHI.

16. Biometric Identifiers

Fingerprints and voiceprints used for patient authentication are PHI.

17. Full-Face Photographs

Dermatology images, wound care photos, any facial image in a medical record.

18. Any Other Unique Identifying Number or Code

This catch-all covers anything that could reasonably identify a person. I've seen it applied to employee badge numbers that doubled as patient IDs in occupational health clinics.

For the full regulatory text, see HHS's official guidance on de-identification of protected health information.

The Mistakes That Turn PHI Into a Breach

Knowing the 18 identifiers is step one. Step two is recognizing how your workforce mishandles them daily.

Whiteboards in Patient Hallways

I once walked through a hospital where every room had a whiteboard visible from the corridor listing the patient's full name, attending physician, and diagnosis shorthand. That's a HIPAA violation hiding in plain sight.

Unencrypted Laptops and USB Drives

In 2018, the University of Texas MD Anderson Cancer Center lost a $4.3 million appeal to HHS after unencrypted devices containing ePHI were stolen. The OCR investigation revealed that the organization had identified the encryption risk years earlier and failed to act. Three devices. $4.3 million.

Texting PHI on Personal Phones

Nurses and medical assistants text each other patient details constantly. If your organization hasn't deployed a HIPAA-compliant messaging platform — and trained staff to actually use it — you have an active breach channel running 24/7.

Misdirected Emails and Faxes

Auto-fill in email clients and speed-dial fax numbers cause more impermissible disclosures than any hacking group. OCR treats these as reportable breaches when they affect 500 or more individuals.

What Happens When PHI Exposure Reaches OCR

The Office for Civil Rights doesn't just fine large health systems. Small practices, dental offices, and solo providers have all faced enforcement actions.

In 2023, OCR settled with Yakima Valley Memorial Hospital for $240,000 after 23 security guards accessed patient medical records without a job-related reason. The issue wasn't a cyberattack. It was workforce curiosity — the most common and most preventable source of HIPAA violations.

Your organization doesn't need a sophisticated threat actor to trigger a breach. It needs one untrained employee who doesn't understand what PHI looks like or why accessing it without authorization is a federal violation.

How to Actually Protect PHI: Practical Steps That Work

Train Every Role, Not Just Clinicians

Front desk staff handle PHI before a clinician ever touches it. Billing teams swim in it. IT administrators have unrestricted access to ePHI databases. Every workforce member — including volunteers and contractors — needs role-specific training.

If your clinical staff hasn't completed targeted education, our HIPAA training course for nurses and clinical workflows covers exactly how PHI shows up in real patient care scenarios.

Encrypt Everything That Moves

Laptops, phones, tablets, USB drives, email attachments. If it contains ePHI and it can leave your building — physically or electronically — it must be encrypted. Full stop.

Implement Minimum Necessary Access

The Privacy Rule requires that workforce members access only the PHI they need for their specific job function. Role-based access controls in your EHR aren't optional. They're the law.

Audit Access Logs Monthly

If you're only reviewing access logs after a complaint, you're already behind. Monthly audits catch snooping patterns before they become breach notifications.

Quick Answer: What Are Common PHI Examples Under HIPAA?

Common PHI examples under HIPAA include a patient's name combined with a diagnosis, a medical record number linked to treatment notes, a Social Security number on an insurance claim, a date of birth on a lab report, an email address in a patient portal, and a full-face photograph in a clinical record. Any of the 18 HIPAA identifiers become PHI when connected to health information about a past, present, or future condition, treatment, or payment.

De-Identification: When PHI Stops Being PHI

HIPAA provides two methods to de-identify data: the Expert Determination method (a qualified statistician certifies the risk of identification is very small) and the Safe Harbor method (all 18 identifiers are removed, and the covered entity has no actual knowledge the remaining data could identify someone).

Once data is properly de-identified, HIPAA no longer applies to it. But I've reviewed datasets that organizations claimed were de-identified while still containing three-digit zip codes and dates of service. That's not de-identified. That's a breach waiting to happen.

Your Staff Sees PHI Every Day — Do They Recognize It?

The biggest risk in most healthcare organizations isn't a firewall gap. It's a workforce that can't reliably identify PHI when it's sitting right in front of them.

A scheduling spreadsheet with patient names and appointment reasons? PHI. A sticky note on a monitor with a medical record number? PHI. A screenshot of an EHR screen saved to a personal desktop? PHI — and probably an ePHI breach.

Training your team to see PHI examples in their daily work is the single most cost-effective compliance investment you can make. Explore our full HIPAA training catalog to find role-specific courses that turn abstract rules into concrete habits.

Because the next time a lab report lands on the wrong fax machine, the question OCR will ask isn't whether your policy existed. It's whether your people actually knew what they were supposed to protect.