What Is Considered PHI Under HIPAA?

Understanding Protected Health Information is essential for any organization that handles health data. Whether you're an employer offering health benefits, a broker advising clients, or an HR leader managing employee records, knowing what PHI is under HIPAA helps you stay compliant and protect sensitive information.

Understanding PHI Under HIPAA

Protected Health Information refers to any health data that can identify a specific individual and is created, received, maintained, or transmitted by a covered entity or business associate. According to the HHS Summary of the HIPAA Privacy Rule, PHI includes individually identifiable health information that contains common identifiers such as name, address, birth date, and Social Security Number when combined with health details.

The formal definition covers individually identifiable health information in any format, whether electronic, paper, or oral. PHI protection applies when information relates to a person's past, present, or future physical or mental health condition, healthcare services received, or payment for those services.

For employers managing health benefits, recognizing what is considered PHI under HIPAA matters because mishandling can lead to significant penalties and breach of employee trust.

The 18 HIPAA Identifiers

The Department of Health and Human Services has defined 18 specific identifiers that, when combined with health information, create PHI. Knowing these identifiers helps you understand when data requires HIPAA protection.

Personal Identifiers

Personal identifiers include names (full or partial), geographic data smaller than a state, all dates except year (including birth, admission, discharge, and death dates), phone and fax numbers, email addresses, and Social Security numbers. These are the most commonly encountered identifiers in everyday business operations.

Medical and Account Identifiers

Medical and account identifiers include medical record numbers, health plan beneficiary numbers, account numbers, and certificate or license numbers. Organizations handling health benefits frequently encounter these identifiers when processing claims or managing employee enrollment.

Technical and Biometric Identifiers

Technical and biometric identifiers include vehicle identifiers and serial numbers, device identifiers and serial numbers, web URLs and IP addresses, biometric identifiers like fingerprints and voiceprints, full-face photographs, and any other unique identifying number or code.

When any of these identifiers connect to health information held by a covered entity, the combined data becomes PHI under HIPAA. For brokers advising clients on health benefits, understanding these identifiers ensures proper handling of sensitive employee data.

What Is Not Considered PHI Under HIPAA?

Not all health-related information qualifies as PHI. Several categories of health data fall outside HIPAA protection, which can simplify compliance for certain types of information.

Employment and education records maintained by employers or schools are not considered PHI, even if they contain health information. A doctor's note for sick leave in an employee's file does not trigger HIPAA requirements for the employer. This distinction is important for SMB and enterprise organizations managing workforce health documentation.

Consumer health technology data from wearable devices, fitness trackers, and mobile health apps is not PHI. Heart rate data from a smartwatch or steps logged in a fitness app fall outside HIPAA protection because these devices are not operated by covered entities.

De-identified health information that has all 18 identifiers removed is no longer considered PHI. Organizations can use this data for research and analytics without HIPAA restrictions. Health information alone, such as a dataset of blood pressure readings without any personal identifiers, does not constitute PHI.

Information held by non-covered entities also falls outside HIPAA. A life insurance company or employer wellness program that is not a health plan may hold health information that is not considered PHI under HIPAA rules.

Who Must Comply with HIPAA?

HIPAA applies to three main categories of covered entities, plus their business associates. Understanding who must comply helps organizations determine their obligations.

Health plans include health insurance companies, HMOs, company health plans, and government programs like Medicare and Medicaid. Healthcare providers who transmit health information electronically for covered transactions must also comply, including doctors, hospitals, pharmacies, and clinics.

Healthcare clearinghouses that process health information from one format to another are covered entities as well. Business associates who handle PHI on behalf of covered entities must follow HIPAA rules, including vendors, consultants, and third-party administrators.

A Simple Test for Identifying PHI

When you're unsure whether information qualifies as PHI under HIPAA, ask three straightforward questions. First, is your organization a covered entity or business associate? Second, does the information relate to someone's health condition, treatment, or payment? Third, can that health information be linked to a specific individual?

If you answer yes to all three questions, the data qualifies as PHI and requires HIPAA protection. Understanding what PHI is under HIPAA through this simple framework helps organizations make quick compliance decisions.

How Venteur Supports HIPAA Compliance

Managing health benefits while maintaining regulatory compliance can feel overwhelming. At Venteur, our ICHRA platform helps you offer personalized health benefits while prioritizing data security and compliance. We handle sensitive health benefit information with built-in safeguards, allowing your HR team to focus on the employee experience rather than compliance concerns.

Whether you're a startup just beginning to offer benefits or an established organization looking for flexibility, our platform provides enterprise-level compliance support with no setup fees or monthly minimums.

Protecting What Matters

Protected Health Information under HIPAA encompasses any identifiable health data held by covered entities and their business associates. Understanding the 18 identifiers, knowing what is not considered PHI under HIPAA, and applying a simple three-question test will help you navigate compliance confidently. As healthcare data security continues to evolve, protecting PHI is not just a legal obligation but an essential part of maintaining trust with employees and clients.

Ready to simplify your health benefits administration while staying compliant? Explore how Venteur can help your business today.