In 2023, a dental practice in New England paid a $50,000 settlement to the Office for Civil Rights after a workforce member posted a patient's treatment photo on social media — with the appointment date and patient name visible in the image metadata. The practice argued the employee didn't realize the post contained protected health information. OCR disagreed. This scenario plays out repeatedly, and it starts with a fundamental knowledge gap: your workforce doesn't fully understand what is protected health information, and real-world examples make the difference between compliance and a reportable breach.

What Is Protected Health Information Under the HIPAA Privacy Rule?

Protected health information (PHI) is defined under 45 CFR §160.103 as individually identifiable health information that is created or received by a covered entity or business associate and relates to the past, present, or future physical or mental health condition of an individual, the provision of healthcare to that individual, or payment for healthcare — and that identifies the individual or could reasonably be used to identify the individual.

That definition is broader than most people assume. PHI is not limited to medical records. It extends to billing records, appointment schedules, lab results, prescription histories, insurance claims, and even verbal conversations about a patient's care — as long as the information includes identifiers that link it to a specific person.

PHI can exist in any format: paper charts in a filing cabinet, electronic records in your EHR, verbal disclosures during a phone call, or images stored on a smartphone. If it identifies a patient and relates to their health or healthcare, it's PHI.

The 18 PHI Identifiers Every Workforce Member Must Recognize

The Privacy Rule specifies 18 types of identifiers that, when combined with health information, make data qualify as PHI. These identifiers are the backbone of the Safe Harbor de-identification method under 45 CFR §164.514(b). Your team needs to know every one of them:

  • Names
  • Geographic data smaller than a state (street address, city, ZIP code)
  • All dates directly related to an individual (birth date, admission date, discharge date, date of death) — and all ages over 89
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate or license numbers
  • Vehicle identifiers and serial numbers (including license plates)
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

When even one of these identifiers accompanies health or payment information, the data is PHI and falls under HIPAA's full regulatory protection.

Real-World Examples of Protected Health Information

Understanding what is protected health information through concrete examples eliminates the gray areas that lead to HIPAA violations. Here are scenarios your organization should use in training:

Clearly PHI

  • A billing statement showing a patient's name, date of service, and diagnosis code — even if it never enters the EHR.
  • A voicemail left by a pharmacy confirming a patient's prescription refill, including the patient's name and medication.
  • An appointment reminder text message that includes the patient's name and the type of appointment (e.g., "cardiology follow-up").
  • A photo of a surgical wound stored on a clinician's personal phone, with the patient's face or name band visible.
  • An explanation of benefits (EOB) sent by a health plan that includes the member's name, provider, and procedure performed.

Often Overlooked as PHI

  • IP addresses captured by a patient portal login system — paired with health records accessed during that session, this is electronic PHI (ePHI).
  • A spreadsheet tracking employee wellness program results that includes worker names and blood pressure readings. If the employer is also the covered entity or a plan sponsor, this is PHI.
  • Vehicle license plate numbers recorded by hospital parking systems when linked to patient visit records.
  • Metadata embedded in digital images — timestamps, GPS coordinates, and device serial numbers can function as identifiers under the 18-identifier list.

Not PHI

  • Fully de-identified data sets where all 18 identifiers have been removed per Safe Harbor standards — this is no longer PHI and is not subject to the Privacy Rule.
  • Employment records held by a covered entity in its role as an employer, not as a healthcare provider (45 CFR §160.103).
  • Aggregate hospital infection rate data published without any patient-level identifiers.

Why Getting PHI Wrong Triggers OCR Enforcement

OCR enforcement actions frequently cite workforce members who failed to recognize PHI in non-obvious formats. In my work with covered entities, the most common failure points are unencrypted email threads containing patient names and lab values, paper sign-in sheets visible to other patients, and screenshots of EHR data shared through unsecured messaging apps.

Between 2003 and 2024, OCR has settled or imposed civil money penalties in over 140 cases, with resolution amounts ranging from $100,000 to $16 million. A significant share of these involved impermissible disclosures of PHI — disclosures that could have been prevented if workforce members understood what qualifies as protected health information in the first place.

The minimum necessary standard under 45 CFR §164.502(b) further tightens obligations: even when a use or disclosure is permitted, your organization must limit the PHI shared to the minimum amount necessary to accomplish the purpose. Workforce members who can't identify PHI cannot apply this standard.

How to Build PHI Recognition Into Your Compliance Program

Your risk analysis under the Security Rule (45 CFR §164.308(a)(1)) should identify every location where PHI is created, received, maintained, or transmitted. But risk analysis only works when your people know what they're looking for.

Start with comprehensive HIPAA training and certification that goes beyond slide decks. Effective programs use scenario-based questions rooted in the examples above — forcing workforce members to classify real data as PHI or non-PHI before they encounter it in practice.

Your Notice of Privacy Practices must explain how your organization uses and discloses PHI, but that document is meaningless if front-desk staff can't distinguish between PHI and non-PHI during daily operations. Role-based training bridges that gap.

Every business associate with access to PHI needs the same foundational understanding. Your BAAs create legal obligations, but they don't create competency. Ensure your partners complete equivalent workforce training as part of your vendor management program.

Turn PHI Awareness Into a Measurable Compliance Outcome

Audit your workforce's PHI knowledge annually. Track whether staff can correctly identify the 18 identifiers, apply the minimum necessary standard, and flag impermissible disclosures before they become breach reports. Organizations that invest in workforce HIPAA compliance programs see measurable reductions in privacy incidents — and build a defensible record of compliance that matters when OCR comes calling.

Knowing what is protected health information — with specific, memorable examples — isn't a checkbox exercise. It's the single most important competency your workforce needs to keep patients' data safe and keep your organization out of OCR's enforcement pipeline.