A Receptionist, a Fax Machine, and a $1.5 Million Mistake
I once worked with a specialty clinic where a front-desk employee faxed a patient's lab results to the wrong number — a local auto body shop. The clinic shrugged it off. "It was just one page." But that one page contained a patient's name, date of birth, Social Security number, diagnosis, and physician name. That's at least five different types of PHI on a single sheet of paper, and every one of them triggers HIPAA's full protection requirements.
If your workforce can't identify what qualifies as protected health information, you're already exposed. Not theoretically — practically. OCR doesn't hand out warnings for ignorance. It hands out penalties.
This post breaks down every category of PHI your organization needs to know, why the distinctions matter, and where I've seen real teams get it wrong.
What Exactly Is PHI Under HIPAA?
Protected health information — PHI — is any individually identifiable health information that a covered entity or business associate creates, receives, maintains, or transmits. That definition comes straight from HHS's Privacy Rule guidance. But what trips people up isn't the definition. It's the scope.
PHI isn't limited to medical records. It includes billing information, insurance claims, appointment schedules, even voicemails from patients confirming their visit. If it connects a person's identity to their health status, healthcare, or payment for healthcare — it's PHI.
The 18 Identifiers: HIPAA's Master List of Types of PHI
HHS defines 18 specific identifiers that make health information "individually identifiable" — and therefore protected. Here's the full list:
- Names
- Geographic data smaller than a state (street address, city, ZIP code)
- Dates directly related to an individual (birth date, admission date, discharge date, date of death)
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers (including license plates)
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographs and comparable images
- Any other unique identifying number, characteristic, or code
That last one is the catch-all, and it's intentional. If you assign patients an internal tracking code and pair it with their diagnosis, that's PHI. Full stop.
Why the 18 Identifiers Trip Up Even Experienced Staff
Most people think of PHI as a medical chart or a prescription. They forget that a spreadsheet with patient names and appointment dates — no diagnoses at all — still qualifies. I've audited organizations where marketing teams had patient email lists sitting in shared Google Drives. Nobody flagged it because "there was no medical info in the file." But names plus email addresses maintained by a covered entity in the context of healthcare delivery? That's PHI.
If your team hasn't been trained on all 18 identifiers, you should explore the HIPAA training catalog at HIPAACertify.com to close that gap before OCR does it for you.
Electronic PHI (ePHI): The Type That Gets Breached Most
Electronic protected health information — ePHI — is simply PHI that's created, stored, or transmitted electronically. EHR systems, patient portals, email, cloud backups, even text messages between providers. The HIPAA Security Rule exists specifically because ePHI faces threats that paper never did.
And the breach numbers prove it. According to HHS's Breach Portal, the vast majority of large breaches reported involve electronic records — hacking incidents, unauthorized access to databases, stolen laptops with unencrypted drives. When Anthem Inc. suffered its massive 2015 breach affecting 78.8 million individuals, the compromised data was ePHI: names, dates of birth, Social Security numbers, and health plan IDs stored in electronic systems.
Where ePHI Hides in Your Organization
I've found ePHI in places that made compliance officers physically wince:
- Unencrypted USB drives in desk drawers
- Old smartphones with patient photos never wiped
- Shared Excel files on personal laptops
- Voicemail systems with patient callback messages
- Fax-to-email services that store PDFs in the cloud
If you only protect your EHR and ignore everything else, you're defending the front door while leaving every window open.
Oral PHI: The Type Nobody Documents
Here's one that surprises people: spoken information is PHI too. A nurse discussing a patient's condition in a hallway. A doctor leaving a voicemail with test results. A billing clerk reading an insurance ID over the phone to a vendor. All PHI. All protected under the Privacy Rule.
The Privacy Rule doesn't require soundproof rooms for every conversation. But it does require reasonable safeguards. Lower your voice. Move to a private area. Don't discuss cases in the elevator with visitors standing behind you.
I investigated one incident where a surgeon discussed a celebrity patient's procedure in a hospital cafeteria. Three staff members overheard it, one posted about it online, and the hospital ended up on the front page. The breach didn't start with a hacker. It started with a conversation.
Paper PHI: Still Very Much Alive
Despite the digital transformation in healthcare, paper PHI remains everywhere. Printed lab results. Intake forms on clipboards. Insurance explanation of benefits sitting in open mail trays. Prescription printouts left on printers.
In 2018, OCR settled with Filefax, Inc. for $100,000 after medical records from a covered entity were found dumped at an unauthorized location. The records were on paper. Old-fashioned, tangible, and completely unprotected.
Your shred bins, locked file cabinets, and clean-desk policies aren't optional extras. They're baseline requirements for handling paper-based types of PHI.
What Doesn't Count as PHI?
Not everything health-related qualifies. De-identified data — information stripped of all 18 identifiers with no reasonable basis to re-identify the individual — is not PHI. Employment records held by a covered entity in its role as an employer are also excluded, even if they contain health data like workers' comp claims.
Data in educational records covered by FERPA doesn't fall under HIPAA either. And health information held by entities that aren't covered entities or business associates — like a fitness app company with no ties to a health plan or provider — sits outside HIPAA's reach (though other regulations may apply).
The distinction matters. I've seen organizations waste resources locking down data that HIPAA doesn't cover while ignoring actual PHI flowing through unencrypted channels.
What Are the Different Types of PHI? (Quick Answer)
PHI falls into three primary formats: electronic PHI (ePHI), which includes any protected health information stored or transmitted digitally; paper PHI, which covers printed or handwritten records; and oral PHI, which encompasses spoken information about a patient's health or treatment. Within all three formats, PHI is defined by the presence of any of the 18 identifiers established by HHS when linked to health information. All three formats receive equal protection under the HIPAA Privacy Rule.
The $5.55 Million Lesson From Advocate Medical Group
In 2016, OCR settled with Advocate Medical Group for $5.55 million after multiple breaches involving ePHI. One breach involved the theft of four unencrypted laptops containing the ePHI of approximately 4 million individuals. The settlement highlighted failures in risk analysis and physical safeguards — foundational obligations tied directly to understanding what types of PHI exist in your environment and where they live.
You can't protect what you haven't inventoried. And you can't inventory what your workforce can't identify.
This is exactly why comprehensive HIPAA workforce training isn't a checkbox exercise — it's the mechanism that prevents your organization from becoming the next OCR enforcement headline.
Building a PHI-Aware Culture
Knowing the types of PHI is necessary but insufficient. Your entire workforce — from clinicians to janitorial staff to IT contractors — needs to recognize PHI in all its forms and understand their obligations around it.
Three Steps That Actually Work
- Conduct a PHI inventory. Map every system, device, filing cabinet, and workflow where PHI exists. Include oral exchanges like patient check-in procedures.
- Train role-specifically. A billing clerk faces different PHI exposure than a radiologist. Generic training misses the mark. The role-based courses at HIPAACertify.com address this directly.
- Test with real scenarios. Ask staff: "Is a patient's appointment reminder text PHI?" (Yes.) "Is a voicemail from a patient confirming their visit PHI?" (Yes.) "Is an anonymous satisfaction survey PHI?" (Probably not — if truly de-identified.) These conversations reveal gaps faster than any audit.
PHI Misidentification Is a Breach Waiting to Happen
Every breach investigation I've been involved in traces back to someone who didn't realize what they were handling was protected. The intern who emailed patient billing data to a personal Gmail account. The IT admin who backed up a server to an unencrypted personal drive. The office manager who tossed intake forms into the regular trash instead of the shred bin.
None of them were malicious. All of them created reportable breaches under the HIPAA Breach Notification Rule.
Understanding the types of PHI your organization handles — electronic, paper, and oral — and training every member of your workforce to recognize all 18 identifiers isn't aspirational. It's the bare minimum. The organizations that get this right don't just avoid penalties. They build the kind of trust that patients notice and competitors can't fake.
Start with your PHI inventory. Train your people. And do it before OCR comes asking questions you can't answer.