What is PHI? HIPAA Definition, Examples, and How to Protect It

What does PHI stand for?

PHI stands for Protected Health Information.

The "protected" part is important. It signals that the information is covered by HIPAA rules in the right context, and that your organization has duties around privacy, security, and disclosure.

Simple mental model: Health information plus identifiers plus HIPAA context often equals PHI.

PHI definition under HIPAA (plain English)

HIPAA uses a formal definition, but most teams need something they can apply quickly. Here is a plain English way to think about it.

PHI is health information that can identify a person

PHI generally includes information about:

a person's past, present, or future physical or mental health condition
healthcare services provided to that person
payment for healthcare services

If that information is linked to an identifier, or can reasonably identify the person, it becomes protected.

PHI depends on who holds it and why

HIPAA is not "all health data, everywhere." HIPAA focuses on certain organizations and relationships. A patient posting their diagnosis on social media is sharing health information, but it is not automatically PHI under HIPAA.

PHI can exist in any format

Electronic (ePHI): records in an EHR or a cloud file
Paper: printed lab results or intake forms
Spoken: a hallway conversation or voicemail

Who HIPAA applies to: covered entities and business associates

Covered entities

HIPAA covered entities include:

health plans
healthcare clearinghouses
many healthcare providers who transmit health information in certain standard transactions

Business associates

A business associate is typically a person or company that performs services for a covered entity and needs access to PHI to do the job. Common examples include billing services, cloud service providers, and consulting vendors.

Why this matters in 2026: Healthcare workflows now rely on many vendors. If a vendor touches PHI, treat them like a real extension of your environment—with contract review, security review, and clear boundaries.

What counts as PHI?

A quick way to answer "what is considered PHI?" is to break it into parts:

Health related content (condition, treatment, payment, or care coordination)
Identifiers (details that identify the individual)
HIPAA context (handled by a covered entity or business associate)

It is not only clinical notes

Teams sometimes assume PHI is only what is stored in the EHR. In reality, PHI can be present in:

call recordings and voicemail systems
fax and scanned documents
patient portal messages
billing emails and receipts
photos of whiteboards, badges, or wristbands
support tickets and internal chat threads

Common examples of PHI

#	Example	Why it is PHI	Common mistake
1	Patient name + appointment time	Identifies patient and relates to healthcare services	Forwarding to personal inbox
2	Patient MRN + lab result	MRN is an identifier; lab results are health info	Saving files to unmanaged drives
3	Insurance member ID + claim status	Payment for healthcare tied to individual	Sharing screenshots in group chat
4	Patient phone + medication refill	Identifiers linked to care information	Copying notes into general tools
5	Discharge summary with name	Clinical documentation plus identifiers	Attaching to wrong email
6	Referral letter with DOB	Identifying details plus treatment context	Leaving scans in shared folders
7	Patient portal message	Communication about health tied to patient	Quoting full message in a ticket
8	Radiology image with identifiers	Clinical info plus metadata	Sharing images without removing IDs

The HIPAA 18 identifiers

Many HIPAA conversations include "the 18 identifiers." Teams use this list as a practical reference when discussing de-identification.

The identifiers commonly referenced include:

Names
Geographic details smaller than a state
Dates directly tied to an individual
Phone and fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate or license numbers
Vehicle identifiers and serial numbers
Device identifiers and serial numbers
Web URLs
IP addresses
Biometric identifiers
Full face photos and similar images
Any other unique identifying number, characteristic, or code

PHI vs PII (and why the difference matters)

Comparison chart titled Data Types featuring three vertical columns for PII, PHI, and ePHI.

How they overlap

PHI often includes PII because it identifies a patient. If a record contains a patient name, address, or email, those are identifiers.

How they differ

PII is a broad concept used across many industries—data that can identify a person.
PHI is a healthcare-specific category tied to HIPAA context—health and payment information connected to an identifiable person.

PHI vs ePHI vs "health data"

PHI vs ePHI

ePHI is PHI in electronic form. If it is in a database, a document system, email, or cloud storage, it is often ePHI. The HIPAA Security Rule focuses heavily on electronic safeguards.

PHI vs general "health data"

"Health data" is a broader everyday phrase. It might include fitness tracker data, wellness app data, or self-reported symptoms. That data is not automatically PHI under HIPAA unless handled in a HIPAA-covered context.

De-identification: what "not PHI" can mean

De-identification is the process of removing or reducing identifiers so the data is no longer tied to an identifiable individual.

De-identified data is not a magic switch. Teams sometimes think "we removed names, so we are done." Re-identification risk depends on how many indirect identifiers remain, what other datasets could be linked, and who can access it.

Minimum necessary: the everyday rule

A diagram titled Minimum necessary illustrating a funnel concept showing Full record being filtered to Needed for the task.

The minimum necessary standard is one of the most useful concepts: share only what you need to do the job.

Examples of minimum necessary thinking:

If a vendor needs to troubleshoot a scheduling bug, they may need appointment IDs and timestamps, not diagnoses.
If an internal team is verifying insurance, they may need payer details, not clinical notes.
If a manager is reviewing a billing complaint, they may need invoice details, not imaging reports.

How to protect PHI: safeguards that actually work

1) Map your PHI flows

Map how PHI moves: where it enters, where it is stored, where it exits, where it is copied. This usually uncovers shadow workflows created to "get things done."

2) Classify PHI in a way staff can follow

High sensitivity: full clinical notes, diagnoses, lab results, images, credentials
Medium sensitivity: appointment details, care coordination messages, billing disputes
Lower sensitivity: general educational content with no patient identifiers

3) Restrict access and keep proof

Use role-based access, separate test and production, review access on a schedule, keep audit logs.

4) Reduce exports and downloads

Exports are where controls often disappear. Limit bulk export permissions, use time-limited access links, watermark sensitive exports.

5) Protect email and messaging

Use approved secure messaging, outbound scanning for PHI patterns, automatic warnings before sending sensitive content.

6) De-identify for secondary use cases

For analytics, training, and quality improvement, design pipelines that remove identifiers early.

7) Vendor controls that match real workflows

Require a BAA when the vendor handles PHI, clear retention and deletion rules, audit logs and admin controls.

8) Train for normal mistakes

Focus on realistic scenarios: how to open a ticket without pasting patient data, how to communicate with vendors using record IDs.

9) Build "safe defaults" into systems

Templates that remove identifiers by default, secure messaging links integrated into workflow tools, automatic redaction where feasible.

PHI in email, chat, tickets, and modern assistants

PHI risk is not only inside the EHR. It shows up everywhere people work.

Email

Email threads can include appointment details, PDF attachments, billing statements, and portal message copies. Common problems: autofill selecting the wrong recipient, replying to threads with external parties.

Chat and collaboration tools

People share screenshots because it is quick. But screenshots often include patient names, dates of birth, and clinical context. Make sure chat is an approved channel for PHI.

Tickets

Help desk systems are often filled with sensitive content because staff try to provide context. Review who can view tickets and how long they are retained.

Modern assistants and AI tools

Summarization is a common use case, but also an easy way to accidentally share PHI. People paste whole portal messages and move on.

Training line that works: If the text includes a patient identifier, do not paste it into general tools. Use approved systems or remove identifiers first.

When PHI is exposed: first steps for response

Even with good safeguards, mistakes happen. The first hour matters.

Step 1: Stop the exposure

Remove access to the file or message, revoke links, ask recipients to delete content and document the request.

Step 2: Preserve evidence

Record timestamps, links, recipients, and content types. Capture audit logs. Do not edit logs or overwrite evidence.

Step 3: Assess what was disclosed

Which identifiers were involved? Was clinical or payment information included? How many individuals were affected?

Step 4: Notify the right internal owners

Route to privacy, compliance, legal, and security. Document who was notified and when.

Step 5: Improve the workflow

The goal is not blame. The goal is to stop the same mistake from repeating.

Frequently Asked Questions

What is PHI in simple terms?

PHI is protected health information. It is health or payment information about a person that can identify them, handled by healthcare organizations and partners in a HIPAA-covered context.

What are examples of PHI?

Examples include a patient name with appointment details, medical record number with lab results, insurance ID with claim status, portal messages about symptoms, and billing statements tied to a specific patient.

Is a name by itself PHI?

A name alone is an identifier, but it becomes PHI when connected to healthcare services, payment, or operations in a HIPAA context. In healthcare settings, names often appear alongside health-related context, so they are frequently part of PHI.

Is an appointment reminder PHI?

It can be. If it identifies the patient and relates to healthcare services, it can be treated as PHI. Organizations often handle reminders with care even when they do not include diagnosis details.

What is the difference between PHI and ePHI?

ePHI is PHI in electronic form, such as data stored in an EHR, email, or cloud files. PHI can also exist on paper or be spoken.

Is PHI the same as PII?

No. PII is a broad category used across industries for identifying data. PHI is a healthcare-specific category tied to HIPAA context. PHI often includes identifiers, so there is overlap.

TL;DR

Table of Contents