In 2023, OCR settled with a dental practice in New England for $23,000 after an investigation revealed the organization had disclosed patient appointment information — including names, dates of service, and treatment details — to a third-party marketing vendor without a valid business associate agreement. The practice argued it didn't realize scheduling data counted as protected information. That misunderstanding cost them. If your workforce doesn't know exactly what info is protected by HIPAA, your organization is carrying the same risk.

What Info Is Protected by HIPAA Under the Privacy Rule

The HIPAA Privacy Rule, codified at 45 CFR Part 164 Subpart E, defines protected health information (PHI) as any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or its business associate. This includes information in any form — electronic, paper, or oral.

PHI is not limited to diagnoses or lab results. It encompasses any data that connects a person's identity to their health condition, healthcare provision, or payment for healthcare. That connection is the critical element most organizations underestimate.

If a piece of information can be used alone or in combination to identify a specific individual and relates to their health or healthcare, it qualifies as PHI. Understanding this broad scope is the first step toward real compliance.

The 18 Identifiers That Make Health Data PHI

HHS has enumerated 18 specific identifiers under the Privacy Rule. When any of these identifiers is linked to health information, the data is PHI and must be protected accordingly. Here is the full list:

  • Names
  • Geographic data smaller than a state
  • All dates (except year) related to an individual — birth date, admission date, discharge date, date of death
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

That last category is a catch-all, and OCR uses it. If your organization strips 17 identifiers but leaves a unique patient code that could be reverse-engineered, you have not de-identified the data under HIPAA's Safe Harbor method.

Common Misconceptions About What Counts as PHI

Healthcare organizations consistently struggle with edge cases. In my work with covered entities, I see the same misunderstandings surface repeatedly.

Appointment schedules are PHI. A patient's name paired with a date and provider constitutes individually identifiable health information. Sign-in sheets visible to the waiting room, whiteboards with patient names, and scheduling systems accessible to unauthorized staff all present compliance gaps.

Billing records are PHI. Payment information tied to a patient — including claim data, explanation of benefits documents, and invoices that reference services — is fully protected under the Privacy Rule.

Verbal conversations are PHI. Protected health information is not limited to written or electronic records. A nurse discussing a patient's condition in a public hallway is a potential HIPAA violation. The minimum necessary standard requires your workforce to limit PHI disclosures to only what is needed for the intended purpose, in every medium.

Employment records held by a covered entity acting as employer are generally not PHI under HIPAA, even if they contain health data. However, when that same employer is also the health plan sponsor, the lines blur — and risk increases.

How the Minimum Necessary Standard Shapes PHI Access

Knowing what info is protected by HIPAA is only half the equation. The Privacy Rule's minimum necessary standard at 45 CFR §164.502(b) requires covered entities to make reasonable efforts to limit PHI access, use, and disclosure to the minimum necessary to accomplish the intended purpose.

This means role-based access controls in your EHR, policies restricting which workforce members can view which records, and business associate agreements that clearly define permissible uses. OCR scrutinizes this standard during investigations, and failing to implement it is one of the most common findings in enforcement actions.

Electronic PHI and the Security Rule's Added Requirements

When PHI exists in electronic form — ePHI — the HIPAA Security Rule at 45 CFR Part 164 Subpart C adds a full layer of administrative, physical, and technical safeguards. Your organization must conduct a thorough risk analysis to identify where ePHI resides, how it moves, and what threats it faces.

OCR's enforcement history makes one thing clear: the risk analysis requirement is the single most frequently cited deficiency in HIPAA investigations. Between 2008 and 2024, the majority of Resolution Agreements reference an inadequate or missing risk analysis. If your organization hasn't completed one recently, that should be your immediate priority.

The Workforce Training Requirement Most Organizations Underestimate

Under 45 CFR §164.530(b), every member of your workforce must receive training on your organization's PHI policies and procedures. This isn't optional, and it isn't a one-time event. Training must occur at onboarding and whenever material changes are made to your policies.

Yet many covered entities treat training as a checkbox exercise — a single annual video with no assessment. OCR expects documented, role-specific training that demonstrates your workforce understands what info is protected by HIPAA and how to handle it in their daily responsibilities.

Investing in a structured HIPAA training and certification program gives your organization defensible documentation while ensuring every team member can identify PHI, apply the minimum necessary standard, and respond appropriately to potential breaches.

What Happens When Your Organization Gets It Wrong

The Breach Notification Rule at 45 CFR §§164.400-414 requires covered entities to notify affected individuals, HHS, and in some cases the media when unsecured PHI is compromised. Penalties under HIPAA's tiered structure range from $137 to $68,928 per violation, with annual maximums reaching $2,067,813 per violation category — figures adjusted for inflation by HHS in 2024.

Beyond fines, the reputational damage from a breach posted to OCR's public Breach Portal — commonly known as the "Wall of Shame" — can erode patient trust for years. Prevention through proper identification and safeguarding of PHI is always less expensive than remediation.

Build a Culture That Protects PHI at Every Level

Understanding what info is protected by HIPAA isn't a question for your compliance officer alone. Every receptionist, billing specialist, IT administrator, and clinician in your organization handles PHI. Your Notice of Privacy Practices communicates patient rights externally, but internal culture determines whether those promises are kept.

Start with a current, comprehensive risk analysis. Implement role-based access aligned with the minimum necessary standard. Ensure every business associate agreement accounts for the PHI your vendors touch. And make workforce training continuous, not annual.

If your organization needs a practical path to compliance, HIPAA Certify's workforce compliance platform provides the tools and training to ensure your entire team understands PHI protections — and proves it with documentation that stands up to OCR scrutiny.