In 2023, OCR settled with a dental practice for $350,000 after an impermissible disclosure involving patient appointment data — information the practice didn't even realize qualified as protected health information. This scenario plays out constantly across healthcare. Understanding what's considered PHI under HIPAA isn't an academic exercise. It's the foundational question that determines the scope of every compliance obligation your organization carries.

What's Considered PHI: The Two-Part Test Most Organizations Miss

The Privacy Rule at 45 CFR §160.103 defines protected health information as individually identifiable health information that is transmitted or maintained in any form — electronic, paper, or oral — by a covered entity or its business associates. But the critical detail most organizations overlook is that PHI requires two elements occurring together.

First, the information must relate to the past, present, or future physical or mental health condition of an individual, the provision of healthcare to that individual, or payment for that healthcare. Second, it must identify the individual or provide a reasonable basis to believe the individual could be identified.

A diagnosis code alone, without any link to a specific person, is not PHI. A patient's name alone, without any connection to health information, is not PHI. But combine a name with a lab result, a billing record, or even an appointment time, and you've crossed the line into protected health information that triggers the full weight of HIPAA's Privacy, Security, and Breach Notification Rules.

The 18 HIPAA Identifiers That Make Health Data PHI

HHS defined 18 specific identifiers under the Safe Harbor de-identification method (45 CFR §164.514(b)(2)) that, when linked to health information, create PHI. Every member of your workforce needs to recognize these:

  • Names — full or partial
  • Geographic data smaller than a state (street address, city, ZIP code)
  • Dates directly related to an individual (birth date, admission date, discharge date, date of death) — and all ages over 89
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

That last category is the catch-all that trips up organizations. Patient portal usernames, internal tracking numbers, and even color-coded scheduling indicators can qualify if they serve as a unique identifier linked to health data.

Where Organizations Consistently Get PHI Wrong

In my work with covered entities, I see three recurring blind spots when it comes to identifying PHI.

Appointment information. Many front-desk staff don't realize that a patient's name combined with a scheduled appointment constitutes PHI. Leaving a voicemail that confirms a dermatology appointment, for instance, discloses both identity and the provision of healthcare.

Billing and payment records. Accounts receivable teams routinely handle PHI without recognizing it. An explanation of benefits, a claim submission, or even an invoice that connects a patient name to a service code is protected health information subject to the minimum necessary standard — your workforce should only access the PHI needed to perform their specific job function.

Oral disclosures. PHI isn't limited to electronic records. A conversation in a hallway, a phone call to a family member, or a discussion at a nursing station all involve PHI if they link a patient's identity to health information. OCR has investigated complaints stemming from exactly these scenarios.

PHI vs. De-Identified Data: Know the Regulatory Boundary

Data is no longer considered PHI once it has been properly de-identified under one of two methods outlined in 45 CFR §164.514. The Safe Harbor method requires removal of all 18 identifiers listed above, plus the organization must have no actual knowledge that the remaining information could identify an individual.

The Expert Determination method requires a qualified statistical or scientific expert to certify that the risk of identification is very small. This method is more flexible but carries documentation and validation requirements most smaller covered entities aren't equipped to handle.

Until data is properly de-identified through one of these methods, treat it as PHI. There is no informal middle ground that HIPAA recognizes.

Why Your Risk Analysis Must Account for All Forms of PHI

The HIPAA Security Rule at 45 CFR §164.308(a)(1) requires your organization to conduct a thorough risk analysis that accounts for all electronic PHI your organization creates, receives, maintains, or transmits. But if your workforce doesn't accurately identify what qualifies as PHI, your risk analysis will have gaps from the start.

OCR's enforcement actions consistently cite incomplete risk analyses as a contributing factor in HIPAA violations. Between 2008 and 2024, failure to conduct an adequate risk analysis appeared in the majority of resolution agreements and civil money penalty cases. The connection is direct: if you can't identify PHI, you can't protect it.

The Workforce Training Requirement Most Organizations Underestimate

Under 45 CFR §164.530(b), covered entities must train all workforce members on PHI handling policies and procedures. This isn't limited to clinicians — it includes administrative staff, IT personnel, volunteers, and anyone with potential access to protected health information.

Generic, one-time orientations don't meet the standard. Your workforce needs scenario-based education that helps them recognize PHI in all its forms, understand the minimum necessary standard, and apply your organization's Notice of Privacy Practices in daily operations.

Investing in comprehensive HIPAA training and certification gives your team the practical knowledge to identify PHI correctly and handle it in accordance with the Privacy Rule. This is especially critical for business associate staff who may not have a healthcare background but routinely interact with identifiable health data.

Build a PHI-Aware Culture Across Your Organization

Knowing what's considered PHI is the entry point for every HIPAA obligation — from access controls and encryption to breach notification timelines and patient rights. When your organization gets this foundational question wrong, every downstream compliance effort is compromised.

Start by auditing where PHI exists across your workflows: intake forms, EHR systems, email threads, paper files, voicemails, and even text messages. Then ensure every workforce member who touches those workflows understands exactly what they're handling and why it matters.

If your organization is ready to strengthen its compliance posture from the ground up, HIPAA Certify's workforce compliance platform provides the structured training and documentation your covered entity needs to meet OCR's expectations — before an enforcement action forces the issue.