What is Considered Protected Health Information Under HIPAA?

July 16, 2024

Protected health information, or PHI, is any health data that can be linked to a person. Under the Health Insurance Portability and Accountability Act (HIPAA), this includes information shared or used by doctors, health plans, or other healthcare organizations.

This data is not restricted to that contained within a medical record. It might be names, addresses, Social Security numbers, or even as specific as a laboratory result to a patient’s name.

Here, we’ll take you through what PHI is, provide real-life examples, and dissect what healthcare providers need to do to manage it appropriately.

Examples of PHI include:

HIPAA imposes strong regulations on the handling of PHI to protect patient data. Some significant examples are:

Email Addresses
If an e-mail is used to discuss a patient’s health or treatment, it is protected health information (PHI) according to HIPAA.

Fax Numbers
Fax numbers utilized for sending or receiving medical records are also deemed PHI.

Vehicle Identification Numbers (VINs)
Vehicle numbers assigned to medical transportation services including ambulances qualify as PHI.

Certificates and License Numbers
Any number assigned to a healthcare provider as part of a certificate or professional license is considered to be PHI.

Social Security Numbers (SSNs)
Due to their frequent use in medical insurance records and their ability to identify an individual, SSNs qualify as PHI.

Account Numbers
Financial account numbers associated with health-related bills and payments fall into the category of PHI. They might show the nature of an individual’s insurance and treatment.

All of these examples fall under the scope of HIPAA compliance, which mandates secure handling of identifiable health information.

Information Safeguarded by HIPAA Rules

HIPAA is intended to safeguard not only medical records but also a broad array of personal and health-related data associated with patient treatment. Such prominent examples include:

Population Statistics
This is comprised of general personal information including names, birthdays, mailing addresses, phone numbers, and e-mail addresses.

Medical records
Patient records such as test results, diagnoses, treatment notes, prescriptions, and medical history as a whole are all protected information.

Billing and Insurance Information
Also included under HIPAA protections are insurance claims, payment data, account numbers, and other financial data associated with care.

Digital Health Systems
Electronic health records (EHRs), patient portals, billing applications, and telehealth platforms also hold PHI and must meet HIPAA compliance standards to ensure data security.

Communication channels
Exchanges and conversations involving identifiable health information—by phone call, email, fax, letter, or text—are likewise protected.

Is a Client’s Height Protected as PHI Under HIPAA?

Indeed, it is. If that information is documented in a health record and is associated with an individual’s identity, it is Protected Health Information (PHI).

Healthcare organizations and providers must be cautious when handling, keeping in storage, and transmitting a client’s height information because it is PHI. Mismanagement could lead to HIPAA violations and monetary fines as a result of unauthorized access and disclosure.

🔗 Read More: Who Must Comply with HIPAA Rules and Regulations?

What Kinds of Information May be Disclosed Without Violating HIPAA?

Understanding what falls outside the scope of HIPAA compliance is just as important as knowing what’s protected.

• Appointment data that consists solely of simple identifiers—like a name, phone number, or mailing address—and does not bear any medical information is not PHI and is freely shareable. 
• Employment records outside a healthcare facility provide another exception. When data is in the possession of an employer that is not healthcare-related, HIPAA is irrelevant. The same applies to health information recorded in schools; those tends to be covered under educational provisions rather than healthcare privacy regulations. 
• Device makers are increasingly part of health tech—but if they keep your health data away from a healthcare context (such as tracking steps or heart rate), that data is not PHI under HIPAA by default. 
• And don’t forget publicly available information. News about health, research results, or articles that aren’t attached to a patient’s identity can be shared freely. 

The bottom line is that if data is not associated with an individual in a healthcare context, it generally is outside HIPAA’s reach.

How Does HIPAA Distinguish PHI from Non-PHI?

Not all data is treated equally under HIPAA. What is most significant is whether data is traceable to an individual, and whether it is connected to healthcare.

Let’s understand it using a few examples:

Identifiable Health Information
Personal details such as names, addresses, birth dates, and Social Security numbers are considered PHI when associated with healthcare services. However, aggregate data without any identifiers or employment records maintained in a non-healthcare setting are not classified as PHI under HIPAA.

Medical Records
Patient medical histories, lab results, diagnoses, and clinical notes are considered Protected Health Information when they can identify an individual. On the other hand, anonymized research data or information about general health trends that cannot be linked to a specific person is not classified as PHI under HIPAA.

Billing Information
Insurance details, medical billing records, and payment histories connected to healthcare services are classified as PHI under HIPAA. However, general financial information that isn’t tied to medical care—like a credit card transaction at a retail store—is not considered PHI.

Communication Records
Messages that include health-related details—such as appointment reminders, prescription information, or emails and texts discussing a patient’s care—are considered PHI under HIPAA. In contrast, general marketing emails or customer service messages that don’t involve personal health information are not classified as PHI.

Health Status
Information about a person’s diagnoses, treatment plans, or medical conditions is considered PHI when it can be linked to an individual. However, public health data that has been de-identified or general wellness advice, such as tips on exercise or nutrition, is not classified as PHI under HIPAA.

Biometric Identifiers
Biometric data—such as fingerprints, voice prints, or genetic information—is considered Protected Health Information under HIPAA when it is tied to an individual’s medical records or healthcare services. However, if the same data is used for non-health-related purposes, it is not classified as PHI.

🔗 Read More:  History of HIPAA from creation to the current day

Conclusion

Knowing what is Protected Health Information under HIPAA is more than checking a box—you need to know it to protect patient privacy and remain compliant. PHI is anything from test results to bills, as long as it is attached to an identifiable individual.

Being able to distinguish between PHI and non-PHI allows healthcare practitioners to make more intelligent decisions about what is sharable and what must remain secure. And with patient trust at stake, it’s never more crucial to treat that data with care. Whether you’re handling records, sending out communications, or updating systems, maintaining HIPAA compliance helps safeguard sensitive health data and keeps your organization in good standing.