Compliance
May 5, 2026
15 min read

What Is PHI Under HIPAA? The 18 Identifiers Explained

Kevin Barona
Table of content
H2
H3
share

What is PHI under HIPAA? Protected Health Information (PHI) is any health information that can be used to identify an individual and that was created, used, or disclosed in the course of providing a healthcare service. This includes information about a person's past, present, or future health condition, the provision of healthcare, or the payment for healthcare, when that information is combined with one or more of 18 specific identifiers defined by HIPAA.

If your organization is a HIPAA covered entity or a business associate and you handle data that meets this definition, HIPAA requires you to protect it. Failure to do so can result in significant fines, corrective action plans, and reputational damage.

This guide covers exactly what qualifies as PHI, the full list of 18 identifiers, what does not count as PHI, and what all of this means for your compliance obligations.

How HIPAA Defines Protected Health Information

Understanding PHI starts with understanding how HIPAA builds the definition in layers. There are three terms that matter, and each one builds on the last.

Health information is the broadest category. It includes any information, whether oral, written, or electronic, that relates to a person's past, present, or future physical or mental health condition, the provision of healthcare to that person, or the past, present, or future payment for healthcare. This information can come from a healthcare provider, health plan, public health authority, employer, life insurer, school, or healthcare clearinghouse.

Individually identifiable health information is health information that includes identifiers, or where there is a reasonable basis to believe the information could be used to identify a specific person. This is where the 18 identifiers come into play.

Protected Health Information is individually identifiable health information that is transmitted or maintained in any form (electronic, paper, or oral) by a covered entity or business associate. This is the data that HIPAA's Privacy, Security, and Breach Notification Rules are designed to protect.

Here's the key takeaway: health information on its own, without any of the 18 identifiers, is not considered PHI. For example, a dataset of vital signs by themselves does not constitute PHI. But if that same dataset includes medical record numbers, the entire dataset becomes PHI and must be protected.

The 18 PHI Identifiers

HIPAA defines 18 specific data elements that qualify as identifiers. When any of these identifiers is combined with health information and maintained by a covered entity or business associate, the data becomes PHI and is subject to HIPAA protection.

Here is the complete list as defined by the Department of Health and Human Services (HHS):

  1. Names
  2. Geographic data smaller than a state (street address, city, county, zip code, and equivalent geocodes, with limited exceptions for the first three digits of a zip code in areas with populations over 20,000)
  3. All elements of dates directly related to an individual (birth date, admission date, discharge date, date of death, and all ages over 89), except year alone
  4. Phone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate and license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web URLs
  15. Internet Protocol (IP) addresses
  16. Biometric identifiers, including fingerprints and voiceprints
  17. Full-face photographs and any comparable images
  18. Any other unique identifying number, characteristic, or code

That last identifier is broad by design. It's a catch-all that covers any data point not listed above that could still be used to identify an individual. However, it does not include codes assigned by a researcher or organization specifically for the purpose of coding data, as long as those codes are not derived from the individual's information and the method for generating them is not disclosed.

One additional rule applies to de-identification. Any code used to replace these identifiers cannot be derived from information related to the individual. And the organization must not have actual knowledge that the remaining data could be used to re-identify the person. If either condition is not met, the data is still considered PHI.

Medical identifiers are some of the HIPAA identifiers

What Is NOT Considered PHI?

This is one of the most misunderstood areas of HIPAA. Not all health-related data qualifies as PHI. Understanding what falls outside the definition is just as important as understanding what falls inside it. Getting this wrong in either direction creates problems. Overprotecting non-PHI data creates unnecessary access barriers that slow down operations. Underprotecting actual PHI exposes your organization to violations and penalties.

Here are the most common categories of data that are not considered PHI under HIPAA:

  • Health information without identifiers. A dataset of blood pressure readings, lab results, or diagnostic codes with no identifying information attached is not PHI. The data only becomes PHI when one or more of the 18 identifiers is present in the same dataset.

  • De-identified data. Health information from which all 18 identifiers have been removed, and for which the organization has no reasonable basis to believe the individual could be re-identified, is not PHI. HIPAA provides two methods for de-identification: the Safe Harbor method (removing all 18 identifiers) and the Expert Determination method (having a qualified statistical expert certify the risk of identification is very small).

  • Research health information kept only in researcher records. Health-related data collected during a research study that is not entered into a medical record and is not used for treatment, payment, or healthcare operations is not PHI under HIPAA. Other research regulations still apply, but HIPAA does not.

  • Employment records. Health information maintained by an employer in its role as an employer is not PHI. This includes sick leave records, workplace injury logs, drug test results kept in personnel files, and similar records. These are governed by other laws (such as OSHA or the ADA), not HIPAA.

  • Student health records covered by FERPA. Health records maintained by educational institutions that receive funding from the U.S. Department of Education are considered education records under the Family Educational Rights and Privacy Act (FERPA), not HIPAA. This includes records from school nurses, university health centers, and campus counseling services.

  • Consumer health data from non-covered entities. Health-related data collected by consumer fitness trackers, wellness apps, or health-focused websites that are not operated by covered entities or business associates is not PHI under HIPAA. These apps may be subject to other privacy regulations (such as the FTC Act or state privacy laws), but HIPAA does not apply to them.

The distinction often comes down to two questions. First, is the data linked to an identifier? Second, is it being handled by a covered entity or business associate? If either answer is no, the data is likely not PHI under HIPAA.

PHI vs. ePHI: What's the Difference?

ePHI stands for electronic Protected Health Information. It is PHI that is created, received, stored, or transmitted in electronic form. This includes data in electronic health records (EHR) systems, emails containing patient information, digital images, lab results stored in databases, and any other electronically maintained health data.

The distinction matters because HIPAA's Security Rule applies specifically to ePHI. The Security Rule requires covered entities and business associates to implement three categories of safeguards: administrative (policies, training, risk assessments), physical (facility access controls, workstation security), and technical (encryption, access controls, audit logs).

PHI that exists only in paper or oral form is protected under the Privacy Rule but is not subject to the Security Rule's technical requirements.

In practice, most organizations today handle ePHI. If your patient records, billing data, or health information exists anywhere in a digital system, the Security Rule applies to your organization. This means you need both Privacy Rule and Security Rule compliance.

Why Understanding PHI Matters for Compliance

Knowing what counts as PHI is not an academic exercise. It directly determines your compliance obligations and your risk exposure.

If you handle PHI, three sets of HIPAA rules apply to your organization. The Privacy Rule governs how PHI can be used and disclosed. The Security Rule requires safeguards for ePHI. The Breach Notification Rule dictates what you must do if PHI is compromised, including notifying affected individuals within 60 days and, in some cases, notifying HHS and the media.

Misidentifying PHI creates real operational problems. Organizations that treat non-PHI data as protected create unnecessary access restrictions that slow down workflows and frustrate staff. Organizations that fail to recognize PHI when they have it leave themselves exposed to HIPAA violations and enforcement actions that can carry fines ranging from $100 to $50,000 per violation, with annual caps reaching $1.5 million.

The practical step is straightforward: audit your data. Know what information your organization collects, where it's stored, who has access to it, and whether it includes any of the 18 identifiers in combination with health information. If it does, it's PHI and HIPAA applies.

It's also worth noting that many of the safeguards required for PHI overlap with other compliance frameworks. Organizations that have already implemented ISO 27001 or SOC 2 will find that a significant portion of the technical and administrative controls carry over to HIPAA compliance.

doctor adding health data to the computer which is PHI

Protecting PHI in Your Organization

Understanding what PHI is only matters if you act on it. Once you've identified the PHI your organization handles, the next step is making sure it's properly protected.

The essentials come down to five areas. First, know your data. Conduct a thorough data inventory to identify where PHI exists across your systems, whether in electronic, paper, or oral form. Second, implement safeguards appropriate to each form. Encrypt ePHI, secure physical records, and establish policies for oral disclosures. Third, train your workforce. Every employee who has access to PHI needs to understand what it is, how to handle it, and what to do if something goes wrong. Fourth, manage your vendors. Execute a Business Associate Agreement (BAA) with every third party that accesses PHI on your behalf. Fifth, prepare for incidents. Build a breach response plan with clear timelines and responsibilities so you can meet HIPAA's notification requirements if a breach occurs.

If your organization handles PHI and you need help building or strengthening your compliance program, get in touch for HIPAA compliance services and we'll help you put the right protections in place.

Related Articles

HIPAA
HIPAA Covered Entities: Who Needs to Comply?
HIPAA
Common HIPAA Violations and How to Prevent Them
ISO 27001
SOC 2
ISO 27001 vs SOC 2: Which Do You Need?
ISO 27001
How much does ISO 27001 Certification cost?
ISO 27001
ISO 27001 Certification Explained: Step by Step
SOC 2
SOC 2 Requirements: What Your Business Actually Needs
Weekly tips and insights on building trust.
Join leaders in building a secure, trusted brand—receive expert guidance to outpace competitors and win customers.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By signing up, you agree to our Terms and Conditions.
Are you ready to get started?
Schedule a call to see how we can help you build trust
Contact us