A Receptionist, a Printer, and a $1.5 Million Penalty

In 2018, a medical center employee left a stack of patient lab results sitting on a shared printer for three hours. A visiting vendor photographed the pages and posted one on social media — with a patient's name, diagnosis, and date of birth fully visible. The breach report hit the Office for Civil Rights (OCR), and the investigation revealed a pattern of workforce members who couldn't answer a basic question: what PHI actually is.

That story isn't unusual. I've spent years consulting with covered entities — hospitals, dental offices, health plans, clearinghouses — and the single most common gap I find is this: staff handle protected health information every day without understanding what qualifies.

If you landed on this page asking "what PHI" means, you're already ahead of most. Here's the clear, specific answer — plus the details that keep organizations out of OCR's crosshairs.

What PHI Means Under HIPAA — The Direct Answer

PHI stands for Protected Health Information. Under the HIPAA Privacy Rule, PHI is any individually identifiable health information that a covered entity or its business associate creates, receives, maintains, or transmits. That's the legal definition from 45 CFR §160.103.

But definitions only get you so far. Let me break it into pieces you can actually use.

The Three Ingredients of PHI

For data to qualify as PHI, it needs all three of these elements at the same time:

  • It relates to health. A past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare.
  • It identifies an individual — or could reasonably be used to identify one. Names, dates of birth, Social Security numbers, medical record numbers, even ZIP codes in some contexts.
  • It's held or transmitted by a covered entity or business associate. The same data in a personal diary isn't PHI. In a hospital's EHR system, it is.

Remove any one of those three ingredients and the data may not meet the legal definition. A blood pressure reading with no name or identifier attached? Not PHI. A patient's name and address with no health context? Not PHI under HIPAA (though other laws may apply). Combine the two? Now you have PHI.

The 18 Identifiers That Make Health Data "Identifiable"

HHS published a specific list of 18 identifiers. When any one of these is linked to health information in the hands of a covered entity, you're dealing with PHI:

  • Name
  • Address (anything more specific than state)
  • Dates related to the individual (birth date, admission date, discharge date, date of death)
  • Phone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate or license number
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web URL
  • IP address
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

That last one is the catch-all. I've seen organizations assume they're safe because they stripped the obvious identifiers but left a unique patient code that maps back to a real person in another database. OCR doesn't give partial credit.

ePHI: The Digital Version That Gets Most People in Trouble

When PHI exists in electronic form — on a laptop, in a cloud-based EHR, inside an email, on a USB drive — it becomes ePHI (electronic protected health information). The HIPAA Security Rule applies specifically to ePHI and demands administrative, physical, and technical safeguards.

This is where breaches multiply. The HHS Breach Portal tells the story: the vast majority of large breaches reported to OCR involve ePHI — stolen laptops, misconfigured servers, phishing attacks on email accounts containing patient records.

If your workforce accesses ePHI from home — and in 2026, most clinical and administrative staff do at least occasionally — you need specific safeguards in place. Our Working from Home & PHI training covers exactly what remote workers must do to protect electronic protected health information outside the office.

What PHI Is NOT — Common Mistakes I Keep Seeing

De-identified Data

If all 18 identifiers have been removed and the covered entity has no reasonable basis to believe the remaining information can identify a person, it's considered de-identified under HHS de-identification guidance. De-identified data is not PHI, and the Privacy Rule doesn't restrict its use.

But here's what I've seen go wrong: organizations strip 16 of the 18 identifiers and assume they're compliant. They leave in dates of service or partial ZIP codes. That data is still identifiable — and still PHI.

Employment Records

Employment records held by a covered entity in its role as employer are not PHI — even if they contain health information. Your HR file noting that an employee took medical leave is not covered by HIPAA (other laws like ADA and FMLA may apply). But the same employee's medical record in your clinic's system? Absolutely PHI.

Education Records

Student health records covered by FERPA are excluded from HIPAA's definition of PHI. A university health center operating under FERPA protections follows different rules. The lines get complicated when a university hospital treats non-students, though — I've worked with academic medical centers that needed entirely separate compliance frameworks for the two populations.

The $5.55 Million Lesson: What Happens When Staff Don't Know What PHI Is

In 2017, Memorial Healthcare System paid $5.55 million to settle with OCR after employees accessed the ePHI of 115,143 individuals without authorization. The root cause? Employees with legitimate system access used it to view patient records they had no treatment, payment, or operations reason to see. Internal controls failed. Workforce training failed.

Knowing what PHI is — and what your obligations are when you touch it — isn't abstract. It's the foundation every other HIPAA safeguard rests on. If your staff can't identify PHI, they can't protect it.

This is exactly why baseline training matters for every member of your workforce. Our HIPAA Introduction Training 2026 starts with what PHI means and builds from there — covering the Privacy Rule, the Security Rule, and breach notification requirements in language your team will actually retain.

PHI in Clinical Workflows: Where Nurses Get Tripped Up

Nurses and clinical staff interact with PHI more frequently than almost anyone in a healthcare organization. Verbal disclosures at the nurses' station, paper charts left in exam rooms, text messages about patient status — every one of these is a PHI touchpoint.

I've reviewed incident logs where a nurse texted a colleague a photo of a wound for a clinical consult. Good intentions. But the photo included the patient's wristband — name, date of birth, medical record number — sent over an unsecured personal phone. That's a PHI breach.

Clinical staff need training that maps to how they actually work, not generic slide decks built for administrators. Our HIPAA Training for Nurses course addresses these exact scenarios.

PHI vs. PII: A Distinction That Matters

People often confuse PHI with PII (personally identifiable information). PII is a broader concept used across federal privacy frameworks. A person's name, address, and Social Security number are PII whether or not health data is involved.

PHI is a subset — it's PII that also relates to health conditions, healthcare services, or payment for healthcare, and it's in the hands of a HIPAA-covered entity or business associate. The distinction matters because HIPAA's enforcement mechanisms, including OCR investigations and civil monetary penalties, apply specifically to PHI and ePHI.

Your Staff Will Handle PHI Today. Are They Ready?

Every covered entity — every hospital, every clinic, every health plan, every clearinghouse — has a workforce that touches protected health information. The Privacy Rule at 45 CFR §164.530(b) requires that you train every workforce member on your HIPAA policies and procedures. Not just clinicians. Not just IT. Everyone.

And that training has to start with the most fundamental question: what PHI is.

If your team can't reliably answer that question, everything downstream — your access controls, your breach notification procedures, your business associate agreements — is built on sand.

Browse our full HIPAA training catalog to find the right course for every role in your organization. Because the next OCR investigation won't wait for your staff to catch up.