In 2023, OCR settled with a dental practice for $350,000 after the organization disclosed patient records to a third-party marketing firm without authorization — largely because staff couldn't distinguish what qualified as protected health information. Understanding what is HIPAA protected health information isn't just an academic exercise. It's the foundation every workforce member needs to avoid exactly this kind of costly enforcement action.

What Is HIPAA Protected Health Information Under the Privacy Rule?

The HIPAA Privacy Rule (45 CFR §160.103) defines protected health information — commonly called PHI — as individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. This includes information that relates to a patient's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare services.

The critical word is individually identifiable. A lab result by itself isn't PHI. But a lab result attached to a patient name, date of birth, or medical record number becomes PHI the moment it can be linked to a specific person.

PHI exists in every format: paper charts in a filing cabinet, electronic records in your EHR, verbal communications between clinicians, even images on a smartphone. Your organization must protect all of it regardless of medium.

The 18 Identifiers That Make Health Information PHI

The Privacy Rule specifies 18 types of identifiers that, when combined with health information, create PHI. Healthcare organizations consistently struggle to recognize all of them. Here's the complete list:

  • Names
  • Geographic data smaller than a state
  • All dates (except year) related to an individual — birth date, admission date, discharge date, date of death
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

Many workforce members are surprised to learn that IP addresses and vehicle identifiers qualify. In my work with covered entities, I've seen breach investigations triggered by something as seemingly harmless as an emailed spreadsheet containing patient names and appointment dates — two identifiers that together constitute PHI.

PHI vs. De-Identified Data: A Distinction That Drives Enforcement

Under 45 CFR §164.514, health information can be stripped of all 18 identifiers through either the Safe Harbor method or the Expert Determination method. Once properly de-identified, the data is no longer PHI and falls outside HIPAA's regulatory scope.

But de-identification done incorrectly is a common source of HIPAA violations. OCR has made clear that removing just a name or just a date is insufficient. All 18 identifiers must be addressed. If even one identifier remains — and the information relates to health status, care, or payment — it's still PHI, and your Privacy Rule obligations still apply.

How Covered Entities and Business Associates Must Handle PHI

Every covered entity — health plans, healthcare clearinghouses, and healthcare providers who transmit information electronically — must implement safeguards that protect PHI across its entire lifecycle. Business associates who handle PHI on behalf of covered entities carry the same obligations under the Omnibus Rule of 2013.

Key requirements include:

  • Minimum necessary standard: Under 45 CFR §164.502(b), your workforce should access, use, or disclose only the minimum amount of PHI needed to accomplish the intended purpose. A billing clerk doesn't need clinical notes. A scheduler doesn't need a diagnosis.
  • Risk analysis: The Security Rule (45 CFR §164.308) mandates a thorough risk analysis to identify threats to electronic PHI (ePHI). This isn't a one-time project — it's an ongoing obligation.
  • Notice of Privacy Practices: Your organization must provide patients a clear notice explaining how their PHI will be used and disclosed, and their rights regarding that information.
  • Business associate agreements: Any vendor, consultant, or contractor with access to PHI must be bound by a written agreement that meets the requirements of 45 CFR §164.504(e).

The Workforce Training Requirement Most Organizations Underestimate

Under 45 CFR §164.530(b), covered entities must train every workforce member on PHI handling policies and procedures. This isn't limited to clinicians. Front desk staff, IT personnel, janitorial workers who access areas with paper records — everyone who could encounter PHI needs documented training.

OCR has cited inadequate workforce training in numerous enforcement actions. In many breach investigations, the root cause traces back to an employee who simply didn't understand what qualified as PHI or how to handle it properly.

The most effective approach is comprehensive HIPAA training and certification that covers PHI definitions, permissible uses and disclosures, and real-world scenarios your staff will actually encounter. Generic annual slide decks don't meet the standard OCR expects.

Common PHI Mistakes That Trigger Breach Notifications

The Breach Notification Rule (45 CFR §§164.400-414) requires covered entities to notify affected individuals, HHS, and in some cases the media when unsecured PHI is compromised. These are the PHI-handling mistakes I see most often:

  • Misdirected communications: Faxing lab results to the wrong number or emailing a patient's records to an incorrect address.
  • Unencrypted devices: A lost laptop or USB drive containing ePHI without encryption triggers a presumed breach.
  • Improper disposal: Tossing paper records containing PHI into regular trash instead of shredding them.
  • Verbal disclosures: Discussing a patient's condition in a public area where others can overhear.
  • Social media posts: Staff sharing workplace photos that inadvertently capture patient information on a whiteboard or screen.

Each of these examples involves a failure to recognize or properly safeguard what is HIPAA protected health information in everyday operations.

Build a PHI-Aware Culture Across Your Organization

Understanding PHI isn't a one-time compliance checkbox — it's an organizational mindset. Every policy, every workflow, every new technology implementation should start with the question: does this involve PHI, and are we handling it according to HIPAA requirements?

Start by ensuring every member of your workforce — from leadership to new hires — completes rigorous training grounded in real regulatory standards. HIPAA Certify's workforce compliance program is built specifically for this purpose, giving your team the practical knowledge to identify PHI, apply the minimum necessary standard, and avoid the missteps that lead to OCR enforcement actions.

PHI is everywhere in your organization. Your workforce's ability to recognize and protect it is the single most important variable in your compliance posture.