Protected Health Information (PHI) is any information in a medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a healthcare service such as diagnosis or treatment.
Information is PHI if it meets ALL three criteria:
PHI includes obvious things like medical records and test results, but also extends to billing information, email or phone conversations about patients, appointment schedules, and even photographs that could identify individuals in a healthcare context.
HIPAA specifies 18 types of identifiers that, when combined with health information, create Protected Health Information that must be protected.
Full name, maiden name, aliases
Street address, city, county, zip code (first 3 digits OK if > 20,000 people)
Birth date, admission date, discharge date, death date, dates of service (except year)
Home, work, mobile phone numbers
Any email address associated with the individual
Full or partial SSN
MRN, patient ID, account numbers
Insurance member ID, policy numbers
Bank account, credit card numbers
Driver's license, professional licenses
License plate numbers, VIN, serial numbers
Medical device serial numbers, MAC addresses, IP addresses
Website addresses associated with individual
Fingerprints, voiceprints, retinal scans, facial photos
Any photographic images showing the face
Any other unique identifying number, code, or characteristic
Important Note
Even if you remove most identifiers, information may still be considered PHI if there's any reasonable basis to believe it could be used to identify an individual. For full de-identification, you must remove ALL 18 identifiers (Safe Harbor method) or have an expert certify low re-identification risk.
Understanding what doesn't qualify as PHI is equally important for avoiding over-protection that impedes normal business operations.
Key Distinction: The critical factor is whether information identifies or could identify a specific individual. Anonymous or properly de-identified data is not PHI, but be cautious—small data sets can often be re-identified even when obvious identifiers are removed.
Protected health information in physical form
Required Protections:
Protected health information in electronic format, subject to Security Rule
Required Protections:
Spoken protected health information, often overlooked but still protected
Required Protections:
It depends. If the text contains only the appointment time without health information, it's generally acceptable. However, including reason for visit, treatment details, or test results would be PHI requiring encryption or patient consent. Best practice: use secure patient portal messaging.
Yes. Names combined with the fact that someone is at a healthcare facility creates PHI. Consider alternatives like giving patients numbers or having them notify staff verbally rather than signing in publicly.
Only with appropriate safeguards. Regular email is not secure. You should use encrypted email, a secure portal, or ensure you have patient authorization. The receiving provider must also be authorized to receive the information.
Only if the service provider signs a Business Associate Agreement and encrypts the data. Services like standard Siri, Google Assistant, or Alexa are NOT HIPAA compliant. Use healthcare-specific dictation services with BAAs.
Only if you don't use identifying information. Discussing 'a 45-year-old diabetic patient' without names, locations, or other identifiers for educational purposes may be permissible. However, naming patients or providing enough detail to identify them violates HIPAA.
No, if properly aggregated and anonymized. Statistical data that doesn't identify individuals is not PHI. However, small populations can still risk re-identification (e.g., 'the only pediatric cardiac patient we saw last year').
De-identification removes PHI status from health information, allowing it to be used more freely for research, analysis, and other purposes. HIPAA recognizes three approaches:
Remove all 18 HIPAA identifiers and have no actual knowledge that residual information could identify individuals
Advantages:
Clear standard, relatively straightforward to implement
Limitations:
Removes significant utility from data, may be overly restrictive
Have a qualified expert apply statistical or scientific principles to determine re-identification risk is very small
Advantages:
Retains more data utility, allows for more nuanced approach
Limitations:
Requires expert statistician, more expensive, documentation intensive
Remove most identifiers but retain dates, city, state, zip, and ages. Requires Data Use Agreement
Advantages:
More useful for research, still provides significant protection
Limitations:
Not fully de-identified, requires DUA, still has some restrictions
Warning: Re-identification Risk
Research has shown that even "de-identified" data can often be re-identified by combining it with other publicly available datasets. The famous Netflix Prize incident demonstrated that supposedly anonymous viewing data could identify individuals. When in doubt, consult with a privacy expert or statistician.
New to HIPAA? Learn the fundamentals of HIPAA compliance, who it applies to, and essential requirements.
Read ArticleLearn about the top HIPAA violations that lead to fines and penalties, and discover practical prevention strategies.
Read Article