Skip to main content

GLOSSARY · Compliance

Protected Health Information PHI

Any individually identifiable health information held or transmitted by a HIPAA-covered entity or its business associates. The data category at the heart of HIPAA — defining what triggers the law's full scope.

Detailed definition

Protected Health Information is the data category at the center of HIPAA. Anything that combines health-related information with information that identifies (or could identify) an individual is PHI when held or transmitted by a covered entity or its business associates — which means every HIPAA control, every BAA, every audit obligation hinges on knowing what counts.

The 18 identifiers

HHS defines PHI by enumerating 18 categories of identifiers. Health information combined with any of these identifiers becomes PHI:

  1. Names
  2. Geographic subdivisions smaller than a state (street, city, county, ZIP)
  3. Dates directly related to an individual (birth, admission, discharge, death; year alone is OK for adults under 90)
  4. Phone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate or license numbers
  12. Vehicle identifiers (VIN, license plate)
  13. Device identifiers and serial numbers
  14. Web URLs
  15. IP addresses
  16. Biometric identifiers (fingerprint, voice print)
  17. Full-face photographs and comparable images
  18. Any other unique identifying number, characteristic, or code

If health data is stripped of all 18 categories, it is “de-identified” and falls outside HIPAA’s scope. Most operational PHI handling assumes the data is identifiable.

Why the definition matters operationally

The PHI definition is what triggers every HIPAA obligation. A spreadsheet of patient names plus appointment times is PHI; an aggregate count of appointments per week is not. A laptop containing PHI requires encryption; a laptop with only de-identified data does not. A cloud vendor handling PHI requires a BAA; the same vendor handling only de-identified data does not.

The practical result is that healthcare operations have to be deliberate about where PHI lives, who has access to it, and how it flows between systems. Most of the technical safeguards in the HIPAA Security Rule exist to enforce that deliberateness — access controls, audit logs, encryption, transmission security, integrity protections — all targeted at the specific subset of data that meets the PHI definition.

Where Bytes Unlimited fits

For healthcare clients we sign BAAs at engagement and scope managed-IT controls around the PHI-handling systems specifically. Not every system in a medical practice handles PHI; the controls don’t have to be uniform. Defining the PHI boundary (which systems touch it, which don’t) is part of the initial HIPAA risk analysis we run as part of onboarding.

RELATED TERMS

Need help applying PHI to your business?

We've done this kind of work across New York. First conversation is free.