What is Considered PHI Under HIPAA Rules?

In a healthcare environment, you are likely to hear health information referred to as protected health information or PHI, but what is considered PHI under HIPAA?

Under HIPAA PHI is considered to be any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity – A healthcare provider, health plan or health insurer, or a healthcare clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services.

It is not only past and current health information that is considered PHI under HIPAA Rules, but also future information about medical conditions or physical and mental health related to the provision of care or payment for care. PHI is health information in any form, including physical records, electronic records, or spoken information.

Therefore, PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual identifiers. Demographic information is also considered PHI under HIPAA Rules, as are many common identifiers such as patient names, Social Security numbers, Driver’s license numbers, insurance details, and birth dates, when they are linked with health information.

The 18 identifiers that make health information PHI are:

  1. Names
  2. Addresses (including subdivisions smaller than state such as street, city, county, and zip code)
  3. Dates (except years) directly related to an individual, such as birthdays, admission/discharge
    dates, death dates, and exact ages of individuals older than 89
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate and license numbers
  12. Vehicle identifiers
  13. Device identifiers and serial numbers
  14. Website URLs
  15. IP addresses
  16. Biometric identifiers, including fingerprints, voice prints, iris and retina scans
  17. Full-face photos and other photos that could allow a patient to be identified
  18. Any other unique identifying numbers, characteristics, or codes

PHI and the 18 identifiers