A nurse texts a patient's lab results to a colleague using a personal phone. A receptionist confirms an appointment over the phone to a caller claiming to be a spouse. A billing clerk emails a spreadsheet of patient names, dates of birth, and diagnosis codes to the wrong address. Which of these scenarios involves protected health information?
All three. And I've watched organizations lose millions because their workforce couldn't answer that question correctly.
If you've ever wondered which of the following would be considered protected health information, you're asking the single most foundational question in HIPAA compliance. Get it wrong and every policy, every safeguard, and every training session you've built collapses. Let's break it down with specifics.
The Two-Part Test: What Actually Makes Data PHI
Protected health information isn't just a medical record. It's any information that meets two criteria simultaneously. Miss either one, and the data falls outside PHI — but nail both, and you're in HIPAA territory.
Criterion 1: It Relates to Health
The information must relate to an individual's past, present, or future physical or mental health condition, the provision of health care, or payment for health care. This is broader than most people think. A bill from a therapist qualifies. So does a note that a patient was referred to oncology — even if no diagnosis is recorded yet.
Criterion 2: It Identifies the Individual
The information must identify the individual or provide a reasonable basis to identify them. A name paired with a diagnosis is obvious PHI. But a zip code paired with a rare disease and a date of service can also identify someone, especially in a small community.
The HHS Office for Civil Rights (OCR) spells this out under the HIPAA Privacy Rule. If the data ties health information to an identifiable person, it's PHI — whether it's on paper, spoken aloud, or stored electronically as ePHI.
Which of the Following Would Be Considered Protected Health Information? A Real-World Quiz
I use this exercise in every workforce training session I run. Here's a version for you. Ask yourself which of these qualify as PHI:
- A patient's name on an appointment schedule
- An X-ray image stored in a hospital's EHR system
- A voicemail from a pharmacy confirming a prescription refill
- Aggregate statistics showing 14% of a hospital's patients have diabetes — with no individual identifiers
- An insurance explanation of benefits (EOB) mailed to a patient's home
- A fitness tracker's heart rate data synced to a consumer app
The first three are clearly PHI. They connect identifiable individuals to health care services. The EOB is also PHI when created or maintained by a covered entity or business associate.
The aggregate diabetes statistic is not PHI — no individual can be identified. The fitness tracker data is also generally not PHI, because consumer health apps typically aren't covered entities under HIPAA. But the moment that data flows to a covered entity — say, a physician downloads it into your medical record — it becomes PHI.
Context matters every time.
The 18 Identifiers You Need to Memorize
The Privacy Rule defines 18 types of identifiers that, when linked to health information, create PHI. Your workforce needs to know these cold:
- Names
- Geographic data smaller than a state
- Dates (except year) related to an individual — birth date, admission date, discharge date, date of death
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographs and comparable images
- Any other unique identifying number, characteristic, or code
Strip all 18 from a dataset and you've de-identified it under the Safe Harbor method. Leave even one attached to health data, and you're handling PHI — with every obligation that entails.
The $1.5 Million Mistake That Started With a Spreadsheet
In 2018, OCR settled with Filefax, Inc. for $100,000 after PHI from medical records was found dumped in an unlocked truck accessible to the public. The organization failed to recognize that paper records containing patient names and treatment information were PHI requiring protection.
But the penalties climb much higher when electronic PHI is involved. Anthem, Inc. paid $16 million in 2018 — the largest HIPAA settlement in history at that time — after a breach exposed ePHI of nearly 79 million individuals. The root cause? Workforce members opened phishing emails, and the organization lacked adequate technical safeguards.
In every major enforcement action I've studied, the pattern repeats: someone on the front lines didn't understand what qualified as PHI, and no one had trained them well enough to recognize it. If your staff can't answer "which of the following would be considered protected health information," you have a gap that no firewall or encryption tool can fix.
PHI Isn't Just in the EHR — It's Everywhere
I've seen organizations lock down their electronic health record systems with military-grade encryption, then leave PHI exposed in places no one thought to check:
- Whiteboards in nursing stations listing patient names and room numbers
- Fax cover sheets sitting in open trays
- Voicemail systems with unencrypted messages containing diagnosis details
- Printed sign-in sheets at specialist offices where patients can see other names and appointment reasons
- Text messages between clinicians using personal devices without proper safeguards
PHI lives in verbal conversations, paper forms, text messages, billing records, scheduling systems, and even photographs taken by staff. If it links a person to their health care, it's PHI — regardless of the medium.
What About Business Associates?
A common misconception: only hospitals and doctor's offices handle PHI. In reality, every business associate — billing companies, IT vendors, shredding services, cloud storage providers — that touches PHI on behalf of a covered entity has the same obligations under the HIPAA Omnibus Rule.
If your organization contracts with vendors who access, store, or transmit PHI, you need a Business Associate Agreement (BAA) in place. And those vendors need their own workforce training. OCR doesn't care whether the person who exposed PHI was on your payroll or someone else's.
Quick-Answer: What Qualifies as PHI Under HIPAA?
PHI is any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. It includes any data — oral, written, or electronic — that relates to a person's health condition, health care services, or payment for care, and that identifies the person or could reasonably be used to identify them. Remove all 18 HIPAA identifiers, and the data is considered de-identified and no longer PHI.
Training Is the Only Scalable Fix
Policies don't protect PHI. People do. And people only protect what they understand.
Every covered entity and business associate is required under the HIPAA Privacy Rule to train all workforce members on PHI handling. This isn't optional — 45 CFR § 164.530(b) mandates it. "Workforce" includes employees, volunteers, trainees, and anyone under the organization's direct control, whether paid or not.
I've seen organizations try to satisfy this requirement with a single onboarding video and a checkbox. That approach fails the moment a new employee encounters a scenario that wasn't covered. Effective training uses real examples — exactly the kind of "which of the following" questions that mirror actual workplace decisions.
Our HIPAA training catalog covers PHI identification, breach notification requirements, and the specific safeguards your workforce needs to apply daily. It's built for covered entities and business associates who want training that sticks — not just a compliance checkbox.
Three Steps to Take This Week
If this article surfaced gaps you hadn't considered, here's what to do now:
- Audit your PHI touchpoints. Walk through every department and document where PHI exists — not just in your EHR, but on paper, in voicemails, on mobile devices, and in vendor systems.
- Test your workforce. Give your team a quiz modeled on the "which of the following" format. If more than 10% of your staff gets an answer wrong, you need better training.
- Update your training program. HIPAA requires retraining when material changes occur, but best practice is annual refresher training at a minimum. Explore role-specific courses in the HIPAACertify training catalog to match training content to the PHI risks each role actually faces.
The question "which of the following would be considered protected health information" isn't just a test question. It's the question your workforce answers — correctly or incorrectly — every single day they handle patient data. Make sure they get it right.