Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
March 4, 2026

What Counts as PHI and What Doesn’t

PHI can appear in many forms. This quick guide helps you recognize it, avoid common mistakes, and protect patient information.

Return to Privacy & Security

What Counts as PHI — and What Doesn’t

We talk with people at vulnerable moments. A name here, a date there, a quick screenshot—those little details can add up. Here’s a simple way to spot PHI and handle it right, every time.

✅ PHI = Health info + something that identifies the person

If it’s about someone’s health, care, or payment and it can be linked to them, it’s PHI.
Format doesn’t matter—Slack, EMR, photo, email, verbal, paper… it all counts.

🔍 The 18 HIPAA identifiers (if any of these appear with health info → it’s PHI)

  • Name
  • Address or geographic info smaller than a state (street, city, ZIP)
  • Dates (birth, admission, discharge, death, service dates, etc.)
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan/member ID number
  • Account number
  • Certificate or license number
  • Vehicle identifiers (VIN, plate)
  • Device identifiers/serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (fingerprint, voice, retina)
  • Full-face photos or comparable images
  • Any other unique ID code or trait

🟩 PHI examples we see a lot (handle with care)

  • “Jane S. — DOB 5/12/78 — pain increase this week — RN telehealth follow-up Monday”
  • External records, care plans, or lab results tied to a name, MRN, or member ID
  • Insurance EOBs, billing notes, authorizations, referral details
  • Intake forms, progress notes, EMR/registry screenshots
  • An IP address from a logged-in patient portal session

🟥 Not PHI (see Data Classification and Protection for guidance)

  • De-identified data (all 18 identifiers removed)
  • Aggregated counts: “We supported 2,300 patients in Q3”
  • HR employment files not used for care/billing

⚠️ Watch the “context traps”

Sometimes harmless-looking data becomes identifying once you zoom in:
🚩 Very small/unique groups (e.g., “1 patient in ZIP 98685 with a rare condition”)
🚩 Free-text notes that quietly include names, dates, or locations
🚩 Screenshots or photos with charts or names in the background
🚩 Website analytics on patient-facing pages that can tie activity to a person
👉 When in doubt, treat it as PHI and check with Privacy.

🧭 Quick Test: Is it PHI?

  1. Is it about health, care, or payment?
  2. Could it identify a person (alone or combined with other info)?
  3. Did we (or a business associate) create, receive, or store it?
    If yes → it’s PHI. When unsure, treat it as PHI.

🔒 How to protect PHI—every time

  • Share only the minimum necessary
  • Use approved systems and transmission methods 
  • Don’t store PHI on personal devices or as screenshots
  • Report any concerns right away (link to reporting)

🚀 Bottom line

“Health info + identifier + in our custody” = PHI.
One extra pause keeps our patients safe—and protects you and our mission.