Understanding Protected Health Information (PHI) Under HIPAA

Protected Health Information (PHI) is the central concept in HIPAA compliance. Understanding what qualifies as PHI determines which data protection requirements apply to healthcare organizations and their business associates.

What Qualifies as PHI

PHI is any individually identifiable health information created, received, stored, or transmitted by a covered entity or business associate. It must meet three criteria: it relates to an individual's health condition, healthcare provision, or payment for healthcare; it identifies the individual or could reasonably be used to identify them; and it is held by a covered entity or business associate.

Common PHI Examples

PHI includes patient names linked to medical records, dates of treatment, medical record numbers, health insurance information, diagnostic codes, prescription records, lab results, and billing information. It also extends to digital identifiers like IP addresses and device IDs when associated with health information.

PHI in Digital Contexts

Website analytics on healthcare websites can inadvertently create PHI when visitor identifiers (like IP addresses or cookie IDs) are combined with pages viewed about specific conditions or treatments. This is why healthcare organizations must be particularly careful about their analytics implementations.

The 18 HIPAA Identifiers

HIPAA defines 18 specific identifiers that, when linked to health information, create PHI. These include names, geographic data, dates, phone numbers, email addresses, Social Security numbers, medical record numbers, and several others. Removing all 18 identifiers creates de-identified data that is no longer subject to HIPAA protections.