Healthcare GlossaryPHI
Regulatory & Compliance

PHI: Protected Health Information

Protected Health Information (PHI) is individually identifiable health information that is created, received, maintained, or transmitted by a HIPAA-covered entity — encompassing any information that could be used to identify a patient and relates to their health condition, care, or payment.

What is PHI?

Protected Health Information (PHI) is defined under HIPAA as any individually identifiable health information (IIHI) that is transmitted or maintained in any form or medium. PHI includes demographic information, medical history, test and laboratory results, mental health conditions, insurance information, and any other data collected from patients as part of the provision of healthcare services — where that information could be used to identify the individual.

The 18 HIPAA Identifiers

Under HIPAA's Safe Harbor de-identification method, the following 18 types of identifiers must be removed to create de-identified health information:

  1. Names
  2. Geographic data smaller than state (address, city, ZIP code, county)
  3. Dates (other than year) directly related to an individual (DOB, admission, discharge, death dates)
  4. Phone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/licence numbers
  12. Vehicle identifiers (licence plate, VIN)
  13. Device identifiers and serial numbers
  14. Web URLs
  15. IP addresses
  16. Biometric identifiers (fingerprints, voiceprints)
  17. Full-face photographs and comparable images
  18. Any other unique identifying numbers, characteristics, or codes

De-identification Methods

HIPAA permits two methods to de-identify health data: Safe Harbor (remove all 18 identifiers and have no actual knowledge that the remaining information could identify an individual) and Expert Determination (a qualified statistical or scientific expert applies generally accepted principles and certifies that the risk of re-identification is very small). De-identified data is not subject to HIPAA — it can be shared freely, used for research, and published without patient authorisation.

Minimum Necessary Standard

Even when PHI disclosure is permitted under HIPAA, covered entities must make reasonable efforts to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose. An analytics vendor processing data for quality measure calculation does not need full narrative clinical notes — structured coded data (ICD-10 codes, CPT codes, lab results, dates) is sufficient and limits PHI exposure under the Minimum Necessary Standard.