What Is PHI in Healthcare and How to Stay HIPAA Compliant

Key Takeaways

• Protected Health Information (PHI) is health information that can identify an individual and is held or transmitted by a covered entity or business associate.
• The same data can be PHI in one context and not another. Who holds it matters as much as what it says.
• HIPAA’s 18 identifiers define what to remove to de-identify data, not what PHI is.
• ePHI carries additional obligations under the HIPAA Security Rule on top of standard Privacy Rule requirements.
• Not everything health-related is PHI, as de-identified data, employment records, consumer app data, and FERPA education records fall outside HIPAA’s scope.
• PHI compliance is built on three rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule.
• Civil penalties reach up to $2,190,294 per violation category per year and OCR enforcement is at its most active level to date.

Introduction

Most people working in or around healthcare know that patient data needs to be protected.

But ask a room of compliance officers, IT leads, and healthcare administrators to define exactly what qualifies as Protected Health Information and what doesn’t, and you’ll get a surprising range of answers.

That ambiguity is costly. Misclassifying data as non-PHI when it is PHI can trigger breach investigations, patient harm, and seven-figure penalties and reputational damage that no fine fully captures.

This guide cuts through the confusion and covers:

• What PHI is, and what it isn’t
• The 18 identifiers and real-world examples
• How ePHI differs and what extra obligations it carries
• What PHI compliance requires
• Current HIPAA violations, penalties, and what a solid compliance program looks like

What Is PHI in Healthcare?

PHI stands for Protected Health Information, the category of health data that HIPAA requires covered entities and their business associates to safeguard.

PHI isn’t defined by a checklist of sensitive data types. For information to qualify as protected health information, all three conditions in the three-part test must be true

• It’s health information — it relates to an individual’s past, present, or future physical or mental health condition, the provision of healthcare, or payment for that care.
• It’s individually identifiable — it identifies the individual, or there is a reasonable basis to believe it could be used to identify them.
• It’s held or transmitted by a covered entity or business associate — a healthcare provider, health plan, healthcare clearinghouse, or vendor acting on their behalf.

Remove any one of those three conditions, and the information is not PHI under HIPAA.

The nature of the data alone doesn’t determine PHI status. Who holds it, and in what capacity, matters just as much as what it says. If a patient calls a dental office to schedule an appointment and leaves their name and phone number, that information is not PHI as there’s no health information attached to it.

The moment that patient is treated and their name and phone number are recorded alongside clinical information, it becomes PHI. The data didn’t change, but the context did.

The same logic applies to wearables and consumer health apps.

A fitness tracker recording heart rate is capturing health-adjacent data, but that data is only PHI if a healthcare provider records it or a health plan uses it. If the device manufacturer has no Business Associate Agreement (BAA) with a covered entity, the data it stores isn’t HIPAA-protected PHI.

What Is Considered PHI Under HIPAA?

Once information meets the three-part test, the practical question is: what makes it individually identifiable?

HIPAA’s Safe Harbor de-identification standard specifies 18 types of identifiers that, when linked to health information in a covered entity’s records, render that information identifiable and protected.

One critical clarification: these 18 identifiers define what must be stripped away to make data no longer individually identifiable. They are a de-identification checklist, not a definition of PHI, a distinction most compliance literature gets wrong.

The identifiers apply not just to the patient, but also to their relatives, employers, and household members.

• Names — full name, nickname, initials, or any name by which the individual is known
• Geographic data — all subdivisions smaller than a state: street address, city, county, zip code, and equivalent geocodes
• Dates — all elements except year for dates directly related to an individual: birth date, admission date, discharge date, date of death. All ages over 89 must also be removed.
• Phone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate and license numbers
• Vehicle identifiers and serial numbers, including license plates
• Device identifiers and serial numbers, including medical device identifiers
• Web URLs
• IP addresses
• Biometric identifiers, like fingerprints, voiceprints, and retinal scans
• Full-face photographs and comparable images, i.e., any image from which an individual could be identified
  Any other unique identifying number, characteristic, or code, a catch-all for identifiers not explicitly listed above

For data to be de-identified under Safe Harbor, all 18 must be removed, not most of them, since partial de-identification does not exist under HIPAA.

Which of the following would be considered PHI?

A few practical scenarios that answer this common question directly:

• A billing statement listing a patient’s name, insurance ID, and diagnosis code — PHI. Multiple identifiers linked to health information held by a covered entity.
• An anonymized dataset with all 18 identifiers removed — Not PHI, provided the covered entity has no actual knowledge, the remaining data could re-identify any individual.
• A wound photograph stored in an Electronic Health Record (EHR) — PHI. A photographic image linked to a health condition, maintained by a covered entity.
• A patient’s name on a general mailing list with no health data attached — Not PHI. Without associated health information, identifiers alone don’t meet the three-part test.

Examples of Protected Health Information

Examples of protected health information span every format and workflow in a healthcare organization, not just medical records.

Common examples include:

• Physician notes, lab results, radiology images, and discharge summaries
• Prescription records and medication lists
• Mental health therapy notes and psychiatric evaluations
• Insurance claims, billing statements with diagnosis or procedure codes, and prior authorization requests
• Emails between a provider and patient discussing symptoms or treatment plans
• Verbal conversations among clinical staff about a specific patient’s condition
• Wound photographs or diagnostic images stored in an EHR
• Patient data stored in cloud-based EHR or practice management systems

Electronic protected health information (ePHI) is any PHI created, stored, transmitted, or received electronically, including data in EHR systems, health information transmitted via email, lab results on patient portals, and data on laptops, tablets, or USB drives.

ePHI is subject to additional requirements under the HIPAA Security Rule on top of the Privacy Rule obligations that govern all PHI formats. The average cost of a healthcare data breach in the U.S. reached $10.22 million in 2025, the highest of any industry, with the overwhelming majority involving ePHI.

What Is Not Considered PHI Under HIPAA?

The boundaries of PHI are just as important as the definition. The following categories fall outside HIPAA’s scope:

De-identified health information

When all 18 identifiers are successfully removed, and the covered entity has no actual knowledge that the remaining data could re-identify any individual, the information is no longer PHI, and HIPAA no longer applies.

A limited data set, which retains certain dates and geographic data, still qualifies as PHI but may be disclosed for research or public health purposes under a data use agreement.

Employment records

Health information that an employer maintains about employees in their capacity as an employer, like sick day logs, return-to-work certifications, and medical leave records, is governed by employment law, not HIPAA.

This changes when the employer also sponsors a group health plan: information the plan holds about enrollees is PHI and must be strictly segregated from general personnel files.

Education records under FERPA

Student health records maintained by schools and universities are governed by FERPA, not HIPAA.

A school nurse’s records on a student’s vaccinations or medications are FERPA-protected education records even though they contain health information.

Consumer app and wearable data

Health data stored by device manufacturers or app developers with no BAA connecting them to a covered entity is not HIPAA-protected PHI, though it may be subject to Federal Trade Commission (FTC) regulations and state privacy laws.

Information held by non-covered entities

HIPAA only applies to covered entities and their business associates.

A life insurer underwriting a policy based on health history, or a law firm reviewing medical records for litigation, is not acting as a covered entity. The health information they hold is not PHI under HIPAA.

Deceased individuals after 50 years

HIPAA protects the PHI of deceased individuals for 50 years following the date of death.

After that window closes, the information is no longer protected health information under HIPAA.

Quick decision framework: If the answer to either of these two questions is no, HIPAA may not apply, and the information may not be PHI:

1. Was this information created or received by a covered entity or business associate?
2. Is an individual identifiable from it?

PHI vs. PII — What’s the Difference?

PII (Personally Identifiable Information) refers to any information that can identify a specific individual: names, email addresses, Social Security numbers (SSNs), or IP addresses. It’s governed by a range of federal and state laws depending on context.

PHI is a subset of PII, specifically, PII that is tied to health, care, or payment information and held by a covered entity or business associate.The key distinction is that every piece of PHI contains or implies a personal identifier, but not every piece of PII involves health information or a covered entity.

A name and email address in a retail loyalty program is PII. That same name and email address in a patient portal tied to a diagnosis is PHI.

When PII is stored alongside health information in a covered entity’s designated record set, it assumes PHI status because it could help identify the subject of that health information.

PHI Compliance Requirements

PHI compliance is structured around three interlocking HIPAA rules.

Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Any vendor or service provider handling PHI on a covered entity’s behalf is considered a Business Associate and is bound by the same rules through signed Business Associate Agreements (BAA).

The Privacy Rule

This rule governs how PHI can be used and disclosed.

PHI may be used without patient authorization only for treatment, payment, healthcare operations, and a defined set of national priority purposes.

Everything else requires written patient authorization. The minimum necessary standard applies to all uses: covered entities must limit PHI to what’s needed for the specific purpose.

Patients have enforceable rights to access their records, request amendments, and receive an accounting of certain disclosures. Covered entities must respond to access requests within 30 days.

The Security Rule

The Security Rule applies specifically to ePHI and requires administrative, physical, and technical safeguards. Administrative safeguards include a documented Security Risk

Assessment, workforce training, and a contingency plan. Risk assessment is the most consistently cited gap in OCR enforcement actions. Physical safeguards cover facility access controls and device disposal. Technical safeguards include access controls, audit logs, and encryption.

A significant overhaul of the Security Rule was proposed in January 2025 and is expected to be finalized in May 2026.

The proposed changes would make all safeguards mandatory.

They would also add explicit requirements for:

• Multi-factor authentication
• Annual penetration testing,
• Vulnerability scans every six months, and
• Encryption of ePHI at rest.

The compliance window, once finalized, is 180 days, putting deadlines at the end of 2026 or into early 2027. Organizations should be assessing gaps now.

The Breach Notification Rule

When unsecured PHI is accessed, used, or disclosed without authorization, covered entities must notify affected individuals within 60 days, report to HHS, and notify prominent media outlets in any state where the breach affects 500 or more residents.

Business associates must notify the covered entity within 60 days of discovering a breach.

PHI Compliance Requirements — Common HIPAA Violations and Penalties

Enforcement has grown significantly more aggressive. Between 2003 and 2024, OCR had settled or imposed civil money penalties in 152 cases totaling just under $145 million, including against small and mid-sized organizations.

Civil penalty tiers

• Tier 1 — No knowledge: $145 to $73,011 per violation
• Tier 2 — Reasonable cause: $1,461 to $73,011 per violation
• Tier 3 — Willful neglect, corrected: $14,602 to $73,011 per violation
• Tier 4 — Willful neglect, not corrected: $73,011 per violation minimum, annual cap of $2,190,294

Criminal penalties range from $50,000 and one year in prison for a knowing violation, up to $250,000 and ten years in prison for violations involving intent to sell or misuse PHI.

Related: 6-Step HIPAA Audit Checklist for Healthcare Organizations

Most common violations

• Failure to conduct or maintain a current Security Risk Assessment
• Missing or inadequate Business Associate Agreements
• Impermissible disclosures, like sharing PHI with unauthorized recipients
• Failure to provide timely patient access to records (Oregon Health & Science University paid $200,000 in March 2025 for this violation alone)
• Inadequate workforce training
• Improper disposal of physical or digital PHI
• Ransomware incidents — OCR treats most ransomware infections as reportable breaches (Gulf Coast Pain Consultants paid $1.19 million in 2024 following a contractor’s unauthorized access)
• Website tracking technologies — Pixels and session replay tools on patient-facing pages transmitting PHI to ad platforms. OCR collected over $9.9 million across 22 enforcement actions in 2024 on this issue alone.

Building a PHI Compliance Program That Holds Up

PHI compliance is not a documentation exercise. The organizations that fare worst in OCR investigations typically have policies on paper but haven’t operationalized them. This means risk assessments that haven’t been updated in years, BAAs that were never signed, and audit logs that exist but are never reviewed.

A program that holds up has a few consistent characteristics:

• Encryption covering ePHI at rest and in transit,
• Role-based access controls enforced at the system level,
• Audit logs that are actually monitored,
• Certified disposal procedures for devices and media, and
• A current BAA inventory verified annually.

For organizations communicating over email, instant messaging, or other digital channels, archiving is non-negotiable. Email containing PHI must be stored in a tamper-proof, searchable archive that supports ediscovery and OCR audit requests, not left in inboxes or standard backup systems.

The proposed Security Rule overhaul, expected to be finalized in May 2026, will raise the bar further, particularly around MFA, encryption at rest, penetration testing, and annual vendor verification. What passes muster today may not once the final rule takes effect. Organizations that wait for publication before acting will have a limited runway.

How Jatheon helps

Jatheon is built for regulated environments. Our archiving software captures and stores communications across email, collaboration and chat apps, mobile, and files in a tamper-proof, searchable archive that meets OCR and ediscovery requirements.

For organizations handling large volumes of PHI, bulk redaction removes sensitive identifiers across stored communications before export or disclosure, which reduces exposure without requiring manual review of individual records.

Other capabilities relevant to PHI compliance include:

• Role-based access controls limiting who can retrieve or export archived communications
• Audit trails that log every search, access, and export event
• Legal hold management to preserve communications relevant to investigations or litigation
• Fast, precise search across years of archived data by channel, sender, recipient, keyword, date range, or content type
• Deployment options, including on-premises hardware, virtual and AWS cloud archive, for organizations with specific data residency or infrastructure requirements

Summary of the Main Points

• PHI is defined by a three-part test: health information that can identify a person and is held by a covered entity or business associate.
• Examples of protected health information include clinical records, billing statements with diagnosis codes, provider-patient emails, recorded telehealth meetings, verbal clinical discussions, diagnostic images, and ePHI in EHR and cloud systems.
• Electronic protected health information carries additional obligations under the Security Rule, including encryption, MFA, audit controls, and annual risk assessments.
• PHI compliance requirements center on three rules: the Privacy Rule (permitted uses and disclosures), the Security Rule (ePHI safeguards), and the Breach Notification Rule (incident response).
• The most common violations are missing risk assessments, inadequate BAAs, impermissible disclosures, failure to provide patient access, and insufficient workforce training.
• Civil penalties reach up to $2,190,294 per violation category per year under 2026 penalty amounts; OCR enforcement is at its most active level to date.
• Organizations handling PHI need robust systems for archiving, access control, audit trails, and breach response, not just documented policies.

FAQ

Does HIPAA apply to mental health records the same way it applies to other medical records?

Yes, with an important nuance. Mental health records are PHI and subject to the same HIPAA rules as any other clinical record. However, many states impose stricter protections on top of HIPAA’s floor, requiring separate authorization for disclosure even in circumstances where HIPAA would otherwise permit sharing. Psychotherapy notes receive specific additional protection under HIPAA itself: they are excluded from the general right of access and require explicit patient authorization to disclose, even to other treating providers.

Can PHI be shared without patient authorization for research purposes?

Yes, under specific conditions. Researchers can access PHI without authorization if they obtain a waiver from an Institutional Review Board (IRB) or Privacy Board, work with a limited data set under a data use agreement, or use fully de-identified data. Research use of PHI without one of these pathways in place is an impermissible disclosure regardless of the research’s public health value.

How long must covered entities retain PHI?

HIPAA itself does not set a retention period for medical records. It requires HIPAA-related policies and documentation to be retained for six years. Medical record retention periods are set by state law and vary significantly: most states require six to ten years for adult records, and longer for minors, often until the patient reaches the age of majority plus a defined period. Organizations operating across multiple states must apply the most stringent applicable requirement.

Is PHI shared with a patient’s family members allowed under HIPAA?

In limited circumstances, yes. HIPAA permits PHI sharing with family members, friends, or caregivers who are directly involved in a patient’s care, provided the patient has not objected, or when the patient is incapacitated, and disclosure is deemed in their best interest. The covered entity must use professional judgment to determine what information is appropriate to share and with whom. This does not extend to general disclosure — a provider cannot share a patient’s diagnosis with a family member simply because they ask.

What is the difference between a HIPAA violation and a HIPAA breach?

These terms are often used interchangeably, but they are distinct. A violation is any failure to comply with a HIPAA requirement, including administrative failures like missing a policy update or not training staff. A breach is a specific type of violation: the unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. All breaches are violations, but not all violations are breaches. Breaches trigger the Breach Notification Rule; other violations may result in corrective action plans or civil penalties without the notification obligations.

Does HIPAA cover PHI shared on patient portals or through telehealth platforms?

Yes. Patient portals and telehealth platforms used by covered entities are part of their covered operations, and any PHI transmitted or stored through them is subject to full HIPAA protections. The platform vendor must sign a BAA with the covered entity before any PHI flows through their system. If the platform experiences a breach, even one outside the covered entity’s control, the covered entity retains notification obligations to affected patients.

About the Author

Natasa Djalovic

Natasa Djalovic is a Senior Content Writer at Jatheon, with 10+ years of experience in creating B2B and SaaS content, with a strong focus on compliance, archiving, and tech topics. Outside of work, she likes to collect and build LEGO sets, hang out with her cats, and watch documentaries.