In 2023, a dental practice in New England received a $50,000 OCR settlement after a workforce member posted a patient's before-and-after photos on social media — without realizing the images constituted protected health information. The practice argued the posts didn't include names or dates of birth. OCR disagreed. This case reflects one of the most persistent gaps in healthcare compliance: organizations and their employees fundamentally misunderstand what is PHI and what is not under the HIPAA Privacy Rule.

What Is PHI and What Is Not Under the Privacy Rule

Protected health information, or PHI, is defined under 45 CFR §160.103 as individually identifiable health information that is created or received by a covered entity or business associate and relates to the past, present, or future physical or mental health condition of an individual, the provision of healthcare, or payment for healthcare. The critical phrase is individually identifiable.

PHI exists when two elements combine: (1) health-related data and (2) information that identifies — or could reasonably be used to identify — the individual. Remove either element completely, and the data generally falls outside HIPAA's definition of PHI.

Here's where most organizations get it wrong. A diagnosis code alone, sitting in a spreadsheet with no link to any person, is not PHI. But the moment you pair that diagnosis code with a patient's medical record number, ZIP code, email address, or even a facial photograph, it becomes PHI — and your organization's full HIPAA obligations apply.

The 18 Identifiers That Transform Health Data Into PHI

The HIPAA Privacy Rule identifies 18 specific identifiers under the Safe Harbor de-identification method (45 CFR §164.514(b)(2)). When any of these identifiers accompanies health information, the data is PHI:

  • Names
  • Geographic data smaller than a state
  • All dates (except year) related to the individual — birth date, admission date, discharge date, date of death
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

This last catch-all category is the one that tripped up that dental practice. Before-and-after dental photos are biometric identifiers and full-face comparable images. Your workforce needs to know this list cold.

Common Examples That Are Not PHI

Understanding what is not PHI is equally important for operational efficiency. HIPAA does not regulate all health data — only health data linked to identifiable individuals held by covered entities and business associates.

These are generally not PHI:

  • Aggregate hospital statistics with no individual identifiers (e.g., "450 patients treated for influenza in Q1 2024")
  • De-identified data sets that have had all 18 identifiers removed per the Safe Harbor method
  • Employment records held by a covered entity in its role as an employer — not in its role as a healthcare provider
  • Health information in education records covered by FERPA
  • Data held by entities that are neither covered entities nor business associates, such as most fitness apps and consumer wearable companies (though FTC and state laws may apply)
  • A patient's verbal statement about their own health to a friend — HIPAA governs covered entities, not individuals

One scenario I encounter frequently: a hospital's HR department has employee medical leave records. Those records are employment records, not PHI — as long as they aren't maintained by the hospital's health plan or provider components. The distinction depends on capacity, not just content.

The Minimum Necessary Standard and PHI Scope

Even when data clearly qualifies as PHI, the HIPAA Privacy Rule's minimum necessary standard (45 CFR §164.502(b)) requires your covered entity to limit PHI use, disclosure, and requests to only the minimum amount needed for the intended purpose. This means your billing team doesn't need access to psychotherapy notes, and your scheduling staff doesn't need full treatment histories.

Misapplying the PHI definition often leads to minimum necessary violations. When workforce members don't understand what qualifies as protected health information, they tend to either over-share (exposing data unnecessarily) or under-protect (assuming data isn't covered when it is). Both create HIPAA violation risk.

Where Electronic PHI Adds Another Layer

The HIPAA Security Rule (45 CFR Part 164, Subparts A and C) applies specifically to electronic PHI, or ePHI. Any PHI that is created, stored, transmitted, or received in electronic form triggers the Security Rule's administrative, physical, and technical safeguard requirements — including your organization's mandatory risk analysis.

OCR enforcement actions reveal that many organizations fail to recognize ePHI in unexpected places: voicemail systems, scanned documents on shared drives, text messages between clinicians, and even metadata in digital images. If a digital file contains health information plus any of those 18 identifiers, it is ePHI, and your Security Rule obligations are fully in effect.

The Workforce Training Gap You Cannot Afford

OCR has consistently cited insufficient workforce training as a contributing factor in enforcement actions. Under 45 CFR §164.530(b), every covered entity must train all workforce members on PHI policies and procedures. Yet in my work with covered entities, I find that many training programs gloss over the PHI definition entirely — leaving staff to guess at boundaries.

Your workforce needs scenario-based education, not just a slide with the legal definition. Staff should be able to distinguish PHI from non-PHI in daily workflows: scheduling calls, patient intake forms, insurance verification emails, and even break-room conversations. A comprehensive HIPAA training and certification program builds this capability through practical examples grounded in regulatory requirements.

Actionable Steps for Your Organization

Clarifying what is PHI and what is not across your organization requires more than a policy update. These steps move the needle:

  • Audit your data inventory. Map every system, workflow, and communication channel where health data intersects with identifiers. This directly supports your required risk analysis under the Security Rule.
  • Update your Notice of Privacy Practices. Ensure it accurately describes how your organization uses and discloses PHI — and confirm your workforce understands the notice they're handing to patients.
  • Train by role. Front desk staff, clinicians, IT, and billing teams encounter PHI differently. Tailored training prevents the "it doesn't apply to me" mindset.
  • Review business associate agreements. Your business associates must understand the PHI definition as applied to the data they handle on your behalf. A downstream vendor's misclassification can become your breach.
  • Test comprehension. Annual checkbox training is not enough. Use quizzes, tabletop exercises, and real scenario reviews to verify your workforce actually understands the distinction.

If your organization hasn't recently evaluated its PHI handling practices and training programs, HIPAA Certify's workforce compliance platform provides the structure and accountability to close gaps before OCR finds them.

The line between PHI and non-PHI is not abstract — it determines which federal protections apply, which safeguards are required, and whether your organization faces enforcement risk. Get the definition right, and everything downstream becomes clearer.