A front-desk employee at a cardiology clinic in Texas faxed a patient's billing statement to the wrong number. The document included a name, date of birth, diagnosis code, and insurance ID. Within 48 hours, the clinic had a breach on its hands. The employee's defense? "I didn't think billing stuff counted as protected health information."

If you've ever seen the question "which of the following is protected health information" on a HIPAA training quiz, you know it trips people up. But this isn't just a test question. Misunderstanding what qualifies as PHI is the root cause of most workforce-level HIPAA violations I've investigated over the past decade.

This post breaks down exactly what PHI is, what it isn't, and why getting it wrong can cost your organization millions.

Which of the Following Is Protected Health Information? The Direct Answer

Protected health information (PHI) is any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or its business associate. That's the definition straight from HHS under 45 CFR §160.103.

For information to qualify as PHI, it must meet all three of these conditions:

  • It relates to an individual's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare.
  • It identifies the individual — or there's a reasonable basis to believe it could identify the individual.
  • It's held or transmitted by a covered entity (health plan, healthcare clearinghouse, or healthcare provider) or a business associate.

Strip away any one of those three elements, and you don't have PHI. Keep all three, and every HIPAA rule — Privacy, Security, Breach Notification — applies in full force.

The 18 Identifiers You Must Recognize

HHS defined exactly 18 types of identifiers that make health information "individually identifiable." When combined with health data, any of these turns ordinary information into PHI:

  • Names
  • Geographic data smaller than a state
  • All dates (except year) related to an individual — birth date, admission date, discharge date, date of death
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate or license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

I've seen organizations assume that removing a patient's name makes data safe. It doesn't. A medical record number alone, linked to a diagnosis, is PHI. An IP address tied to a therapy session log is ePHI. The identifiers cast a wide net on purpose.

Real Examples That Catch People Off Guard

Here's where the quiz question gets tricky. Let me walk you through scenarios I use in actual workforce training sessions.

Scenario 1: A Lab Result With a Name

A printed lab report showing "Maria Gonzalez — Hemoglobin A1C: 9.2%" is PHI. It has an identifier (name) and health information (lab result). No ambiguity here.

Scenario 2: An Appointment Reminder Text

"Reminder: You have an appointment at Springfield Behavioral Health on Thursday at 2 PM." This is PHI. The text reveals that a specific person (the phone number's owner) is receiving services at a mental health facility. Even the fact that someone is a patient at a particular provider is health information.

This scenario is exactly why our course on HIPAA training for mental and behavioral health spends an entire module on appointment communications. Behavioral health settings carry extra sensitivity because the mere acknowledgment of a patient relationship can be stigmatizing.

Scenario 3: De-identified Aggregate Data

A hospital publishes a report: "In Q1 2026, 340 patients were treated for influenza at our facility." No names, no dates of service, no identifiers. This is not PHI. It's de-identified aggregate data, and HIPAA doesn't restrict its use.

Scenario 4: A Conversation in a Hallway

A nurse tells a colleague in the elevator, "The guy in room 412 is getting worse — they're starting him on dialysis tomorrow." That spoken statement is PHI. Room numbers can identify a patient. The treatment detail is health information. And yes, verbal disclosures count.

Verbal PHI is the most underestimated risk I encounter. Your organization should address it head-on through targeted education like our Verbal Disclosures: Watch What You Say training module.

The $4.3 Million Mistake: When PHI Confusion Becomes a Penalty

In 2023, OCR settled with Yakima Valley Memorial Hospital for $240,000 after 23 security guards were found to have accessed patient medical records without a job-related reason. The guards likely didn't think browsing records was a big deal. They were wrong.

OCR's enforcement page reads like a catalog of PHI misunderstandings. Employees who email patient records to personal accounts. Staff who post surgery photos on social media without realizing metadata contains identifiers. Billing departments that send explanation-of-benefits documents to the wrong address.

Every single one of these comes back to the same gap: the people handling the data didn't truly understand what qualified as protected health information.

ePHI: PHI's Digital Twin With Extra Rules

When PHI exists in electronic form — stored on a server, transmitted via email, saved on a laptop — it becomes electronic protected health information (ePHI). The HIPAA Security Rule applies exclusively to ePHI and demands three categories of safeguards:

  • Administrative safeguards: Risk assessments, workforce training, access management policies.
  • Physical safeguards: Facility access controls, workstation security, device disposal.
  • Technical safeguards: Encryption, audit controls, access controls, transmission security.

Your organization handles ePHI the moment a patient fills out an online intake form, sends a message through a patient portal, or has their vitals recorded in an EHR. The Security Rule doesn't care about your organization's size. A solo practitioner with a laptop faces the same legal standard as a health system with 50,000 employees.

What Doesn't Count as PHI

Just as important as knowing what PHI is — you need to know what it isn't. Here's what falls outside the definition:

  • Employment records held in an employer role. If your company collects health data for FMLA or workers' comp in its capacity as an employer (not a covered entity), those records aren't PHI under HIPAA.
  • Education records covered by FERPA.
  • Health data held by non-covered entities. A fitness tracker company that isn't a covered entity or business associate isn't bound by HIPAA, even though it holds health-related data.
  • Fully de-identified data. If all 18 identifiers have been removed and there's no reasonable basis to re-identify, it's no longer PHI.

This distinction matters for your workforce. Staff should understand that HIPAA's reach has clear boundaries — but within those boundaries, the rules are absolute.

Why Your Workforce Training Needs to Hammer This Topic

In my experience, the biggest compliance failures don't start with hackers. They start with employees who can't answer "which of the following is protected health information" correctly. OCR has said repeatedly that inadequate workforce training is a systemic issue across covered entities.

Here's what effective PHI training looks like:

  • Scenario-based quizzes that force staff to classify real-world examples as PHI or not-PHI.
  • Role-specific modules. A billing clerk faces different PHI risks than a therapist. Train accordingly.
  • Annual reinforcement. One training session at onboarding isn't enough. HIPAA requires ongoing education.
  • Documentation. If you can't prove you trained your workforce, OCR treats it as if you didn't.

Our full HIPAA training catalog is built around this principle — practical, role-aware courses that go far beyond checkbox compliance.

The Breach Notification Trigger You Can't Ignore

When unsecured PHI is accessed, used, disclosed, or acquired in a way not permitted by the Privacy Rule, you have a presumed breach. The HIPAA Breach Notification Rule then requires you to notify affected individuals, HHS, and — if 500 or more people are involved — the media.

The notification clock starts ticking the moment you discover the breach. You get 60 calendar days. Miss that window and you're looking at a separate violation on top of the original one.

Every breach starts with PHI. If your staff can correctly identify what PHI is, they can flag potential incidents faster. That speed is the difference between a contained event and a six-figure settlement.

Put This Knowledge to Work

The next time you see the question "which of the following is protected health information," don't just pick the right answer on a quiz. Look around your own organization. Check the sticky note on the monitor at the front desk. Listen to what's being said in the break room. Open your fax log.

PHI is everywhere your patients are. Your job is to make sure every person on your staff — from the CEO to the custodial team — knows exactly what it looks like and what the rules demand.