In 2023, OCR settled with a dental practice for $350,000 after an investigation revealed the organization had been disclosing patient names, treatment records, and appointment dates on a public-facing scheduling platform — without recognizing that these data points constituted protected health information. The compliance officer later admitted the workforce "didn't fully understand which items are considered PHI." That misunderstanding cost the practice hundreds of thousands of dollars and months of corrective action.

This confusion is more common than you'd expect. Healthcare organizations consistently struggle to identify every data element that qualifies as PHI, and that gap creates exposure under the HIPAA Privacy Rule (45 CFR §164.500–534). Let's fix that.

Under HIPAA, protected health information (PHI) is any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. The critical word is individually identifiable — it must relate to a person's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare, and it must identify the individual or provide a reasonable basis for identification.

This means a diagnosis code alone isn't PHI. But pair that code with a patient's name, date of birth, or medical record number, and it immediately becomes protected health information subject to HIPAA's full regulatory framework.

The 18 Identifiers That Make Health Data PHI

HHS defined 18 specific identifiers in the Privacy Rule's de-identification standard (45 CFR §164.514). When any of these identifiers accompanies health or payment information, the data qualifies as PHI. Your workforce needs to recognize every one of them:

  • Names — full or partial
  • Geographic data — street address, city, county, zip code (zip codes with fewer than 20,000 people are always identifiers)
  • Dates — birth date, admission date, discharge date, date of death, and all ages over 89
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers (including license plates)
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers — fingerprints, voiceprints, retinal scans
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

That last category is a catch-all, and OCR has used it aggressively. If a data element can reasonably be used to identify a person when combined with health information, it's PHI.

PHI Exists in Every Format — Not Just EHRs

One of the most dangerous assumptions I encounter in my work with covered entities is that PHI lives only in electronic health records. In reality, PHI exists across every medium your organization touches:

  • Paper records: intake forms, prescription printouts, explanation of benefits documents, sticky notes with patient names and room numbers
  • Electronic records: EHR systems, billing databases, email threads, cloud storage, text messages
  • Oral communications: conversations in hallways, phone calls with patients, voicemails left on answering machines

The Security Rule (45 CFR Part 164, Subpart C) applies specifically to electronic PHI (ePHI), but the Privacy Rule covers PHI in all forms. Your risk analysis must account for paper and oral disclosures alongside digital systems.

Common PHI Mistakes That Trigger OCR Enforcement

OCR enforcement actions reveal patterns of PHI mishandling that stem directly from organizations failing to understand which items are considered PHI:

Unredacted documents shared with vendors. Sending a business associate a spreadsheet with patient names and diagnosis codes — without a proper Business Associate Agreement — is a HIPAA violation. The minimum necessary standard requires you to limit PHI disclosure to only what's needed for the task.

Patient photographs on social media. Full-face photographs are explicitly listed as identifiers. Staff posting images of patients — even to celebrate a recovery — without written authorization violates the Privacy Rule.

Improper disposal. Throwing paper records containing any of the 18 identifiers into a standard trash bin rather than shredding them has led to multiple OCR settlements. In 2022, New England Dermatology paid $300,640 to settle a case involving improper disposal of PHI affecting over 58,000 individuals.

Overlooking IP addresses and device data. Digital health platforms and patient portals collect IP addresses and device identifiers routinely. When these are stored alongside health information, they become PHI — a fact many IT teams still miss during security assessments.

The Workforce Training Requirement Most Organizations Underestimate

Under 45 CFR §164.530(b), every covered entity must train all workforce members on PHI policies and procedures. OCR has made clear in multiple resolution agreements that "we trained them" isn't sufficient — the training must be specific enough that staff can identify PHI in their daily workflows.

Generic annual slide decks don't accomplish this. Your workforce needs scenario-based training that walks through which items are considered PHI in the specific context of their role — front desk, billing, clinical, IT, and leadership alike. A comprehensive HIPAA training and certification program should cover the 18 identifiers, the minimum necessary standard, and real enforcement examples so every team member understands their obligations.

How to Protect PHI Across Your Organization

Identifying PHI is the first step. Protecting it requires a systematic approach grounded in HIPAA's administrative, physical, and technical safeguard requirements:

  • Conduct a thorough risk analysis that maps every location where PHI is created, received, stored, or transmitted — including paper files, mobile devices, and third-party platforms.
  • Update your Notice of Privacy Practices to accurately reflect how your organization uses and discloses PHI, and make sure patients receive it.
  • Implement role-based access controls so workforce members access only the PHI necessary for their job functions.
  • Execute Business Associate Agreements with every vendor that creates, receives, maintains, or transmits PHI on your behalf.
  • Establish breach notification protocols aligned with the Breach Notification Rule (45 CFR §§164.400–414), because if you can't identify PHI, you can't identify a breach.

Build a Culture That Recognizes PHI on Sight

The organizations that avoid OCR penalties aren't the ones with the thickest policy manuals. They're the ones where every workforce member — from the front desk to the C-suite — can point to a data element and say with confidence whether it qualifies as protected health information.

That kind of culture requires ongoing investment in workforce HIPAA compliance — not a one-time checkbox, but a sustained commitment to education, risk management, and accountability. When your team understands the 18 identifiers and recognizes PHI in every format it takes, you eliminate the single most common root cause of HIPAA violations: ignorance of what you're required to protect.