When does medical data qualify as PHI under HIPAA?

Medical data qualifies as protected health information (PHI) under HIPAA when it is individually identifiable health information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of healthcare to the individual, or payment for healthcare, and that identifies the individual or can be used to identify the individual. 

PHI is the intersection of health and personally identifiable information (PII). For example, a health record that contains health-related data linked with identifiers such as names or social security numbers is PHI. Health information that is not linked to an individual’s identity does not qualify as PHI. Similarly, personal identifiers without health information are not PHI. 

A Balkan Medical Journal study, ‘Patient Privacy in the Era of Big Data’ notes the link between PII and health information, “Individually identifiable health information is a subset of HI and contains identifiers or other such information that can be used to identify the subject of the health information…Most of the individually identifiable health information is protected health information (PHI).”

Health information of individuals deceased more than 50 years ago is generally not considered PHI under HIPAA. The HIPAA Privacy Rule, enacted in 1996 and updated with amendments such as the HITECH Act and GINA, governs the protection of PHI, restricting its use and disclosure except under specific authorized circumstances.

What qualifies as PHI

PHI qualifies as any individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or medium, that relates to an individual’s health status, provision of healthcare, or payment for healthcare. ‘Patient Privacy in the Era of Big Data’ pointedly mentions that, “Some PII elements such as personal names and social security numbers can be found in medical records, but they are not health information, hence not PHI.”

PHI encompasses a broad range of data elements that, when combined with health information, can identify an individual. Not all health information is PHI; only that which is linked to identifiers is considered PHI. The HIPAA Privacy Rule outlines specific identifiers that must be removed for data to be considered de-identified and thus not PHI.

The 18 HIPAA identifiers

The 18 HIPAA identifiers are a set of specific data elements that must be removed from health information to render it de-identified under the HIPAA Privacy Rule. These identifiers were defined by the U.S. Department of Health and Human Services (HHS) in the HIPAA Privacy Rule. They include:

• Names
• Geographic subdivisions smaller than a state (e.g., street address, city, county, precinct, zip code)
• All elements of dates (except year) are directly related to an individual, including birth date, admission date, discharge date, and date of death.
• Telephone numbers
• Fax numbers
• Email addresses
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web URLs
• Internet Protocol (IP) addresses
• Biometric identifiers, including fingerprints and voice prints
• Full-face photographs and any comparable images
• Any other unique identifying number, characteristic, or code

According to the AMIA Annual Symposium Proceedings Archive study ‘De-identification of Address, Date, and Alphanumeric Identifiers in Narrative Clinical Reports’, “According to the Privacy Rule, the identifiers... that belong to the individual or relatives, employers or household members... should not be present in any de-identified health records.”

Removal of these identifiers ensures that the health information cannot be used to identify an individual, thus exempting it from HIPAA protections. The identifiers were discussed and exemplified in studies analyzing PHI and de-identification methods.

When medical data becomes PHI

‘A beginner’s guide to avoiding Protected Health Information (PHI) issues in clinical research – With how-to’s in REDCap Data Management Software’ published in the Journal of Biomedical Informatics notes one of the complex difficulties in identifying PHI “Because the list of 18 identifiers seems straightforward, many novice researchers rely solely on this list of single data elements to determine whether or not PHI is being collected. This habit is insufficient because it leads novice researchers to ignore indirect PHI.” 

Medical data becomes PHI when it contains individually identifiable health information that can be linked to an individual. This means that the data must include health-related information and at least one identifier that could be used to identify the patient. A lab result alone is not PHI unless it is linked to a patient’s name or medical record number. 

The combination of health data and identifiers such as dates, geographic information, or unique codes transforms generic medical data into PHI. The timing of this classification is needed in research and healthcare operations because once data is considered PHI, it is subject to HIPAA's privacy and security rules. Data that is stripped of identifiers or aggregated to prevent identification does not qualify as PHI.

What’s not PHI

According to the above-mentioned commentary, “By definition, if data are not collected as part of the medical record or entered into the medical record, it is not PHI. HIPAA only applies to research that uses, creates, or discloses PHI that will be entered into the medical record or will be used for healthcare services, such as treatment, payment, or operations. Thus, not all data that includes personal identifiers meets the definition of PHI.”

Information that does not meet these criteria is not considered PHI. Notably, health data that is not individually identifiable or has been stripped of all personal identifiers is not PHI.  This includes de-identified data from which all 18 HIPAA-specified identifiers have been removed, rendering the information incapable of being linked back to an individual. Such de-identified data falls outside the scope of HIPAA protections and can be freely used and shared without restriction.

Health information collected by entities that are not covered by HIPAA, such as wearable device manufacturers, mobile health apps, or direct-to-consumer genetic testing companies, is generally not considered PHI unless those entities have a business associate agreement with a covered entity.

PHI in the digital world

According to the journal article ‘Protecting Electronic Private Health Information’ published in the Boston College Law Review, “The electronic processing of health data provides invaluable benefits to patients and health care providers.” The HIPAA Security Rule complements the Privacy Rule by requiring covered entities and business associates to implement administrative, physical, and technical safeguards. 

These include access controls, encryption, audit controls, secure user authentication, and transmission security to protect PHI in electronic form. These safeguards can be easily followed through the use of HIPAA compliant email platforms like Paubox. 

Digital governance also involves monitoring data sharing, ensuring compliance with data use agreements, and employing automated tools to detect PHI in datasets before transfer or research use. Automated programs using pattern matching and regular expressions can scan structured data for potential PHI elements like medical record numbers or dates. 

Digital governance must balance data accessibility for healthcare and research with robust protections to maintain confidentiality. Policies address secondary uses of PHI, such as research or public health reporting, often requiring IRB approval or data use agreements.

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

Are all healthcare-related entities required to comply with HIPAA PHI rules?

Only covered entities and their business associates are subject to HIPAA. Health data collected by non-covered entities, like fitness apps or direct-to-consumer genetic testing companies, is typically not PHI unless linked to a covered entity.

What constitutes unauthorized access to PHI?

Accessing PHI without a legitimate work-related reason or patient authorization, such as snooping on celebrity medical records or accessing colleagues’ records out of curiosity, is unauthorized and a HIPAA violation.

Can PHI be disclosed without patient consent?

PHI can be disclosed without consent only for treatment, payment, and healthcare operations. Other disclosures require patient authorization or specific legal exceptions.

What are the consequences of PHI breaches?

Breaches can lead to civil and criminal penalties, including fines and imprisonment, as well as reputational damage. Individuals have been prosecuted for selling PHI or unauthorized access.

How does HIPAA address emerging identifiers like social media handles or biometric data?

Although the original HIPAA list of identifiers is over 20 years old, newer identifiers such as social media handles and biometric data are increasingly recognized as PHI when linked to health information.