Many compliance mistakes trace back to a fuzzy understanding of what counts as PHI. This guide defines PHI and ePHI clearly, lists the identifiers that make data ‘identifiable,’ and shows where the boundaries lie.
What PHI means
Protected health information is individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. It has two essential ingredients: a health component (information about a person’s physical or mental health, the care they received, or payment for that care) and an identifier that links the information to a specific individual.
If either ingredient is missing — health information with no way to identify a person, or an identifier with no health context — it generally is not PHI. Getting this definition right is the foundation of scoping HIPAA compliance, because you cannot protect data you have not correctly identified.
What ePHI means
ePHI is simply PHI in electronic form — information that is stored or transmitted by electronic media. This includes records in an electronic health record system, data in a database or cloud storage, messages in a patient portal, and information moving across a network. ePHI is significant because it falls under the HIPAA Security Rule, which imposes specific technical safeguards such as access controls, audit logging, and encryption.
In modern healthcare and health-tech, the overwhelming majority of PHI is ePHI, which is why the Security Rule occupies so much of a typical compliance program.
The 18 HIPAA identifiers
HIPAA specifies eighteen types of identifiers that, when combined with health information, make it PHI. They include names; geographic data smaller than a state; all elements of dates related to an individual; phone and fax numbers; email addresses; Social Security numbers; medical record numbers; health-plan beneficiary numbers; account numbers; certificate and license numbers; vehicle identifiers; device identifiers and serial numbers; web URLs; IP addresses; biometric identifiers like fingerprints and voiceprints; full-face photographs; and any other unique identifying number, characteristic, or code.
If health information contains any of these identifiers, it is generally PHI and must be protected accordingly.
Free resource
HIPAA Compliance Kit
A practical checklist + policy starter pack to fast-track your program.
Examples of PHI
PHI appears in many everyday forms. A patient’s name alongside a diagnosis is PHI. An appointment record that ties a person to a clinic visit is PHI. A lab result in a portal, a billing statement showing services rendered, an MRI image, a prescription record, and even a voicemail discussing a patient’s treatment all qualify. The form does not matter — PHI can be electronic, on paper, or spoken aloud.
What is NOT PHI
Not all health-related data is PHI. De-identified information — data from which all eighteen identifiers have been removed (or which an expert has determined carries very low re-identification risk) — is not PHI and falls outside HIPAA. Employment records held by an organization in its role as an employer are not PHI. And health data generated outside a covered-entity or business-associate relationship, such as readings from a consumer fitness tracker you bought yourself, is typically not PHI, even though it is health information.
The key is context: the same data point can be PHI in one setting and not in another, depending on who holds it and why.
De-identification and the safe harbor
HIPAA permits two methods for de-identifying data so it is no longer PHI. The “safe harbor” method requires removing all eighteen identifiers and having no actual knowledge that the remaining information could identify someone. The “expert determination” method relies on a qualified statistician concluding that the risk of re-identification is very small. Properly de-identified data can be used and shared far more freely, which makes de-identification a valuable tool for analytics and research. Mapping this data accurately is the practical foundation of HIPAA compliance.
Why correctly identifying PHI matters
Every safeguard, policy, and access control you implement should be driven by where PHI lives. Underestimating your PHI footprint leaves data unprotected; overestimating it wastes effort securing data that does not require it. A careful inventory — mapping which systems, vendors, and workflows touch PHI and ePHI — is therefore the practical starting point of any compliance effort and the basis for an accurate risk analysis.
Treat PHI as the center of your program
Because PHI is what HIPAA exists to protect, it should sit at the center of how you think about compliance. Once you can confidently say what your PHI is, where it lives, and who can reach it, the rest of the program — safeguards, agreements, training, and monitoring — follows logically. Start with the data, and the obligations become far clearer.
PHI in everyday workflows
PHI is not confined to medical records systems — it appears throughout everyday operations. It can live in support tickets that reference a patient’s condition, in spreadsheets exported for analysis, in chat messages between staff, in email attachments, and in backups and logs. Each of these is a place PHI can hide, and each must be accounted for when you scope your safeguards.
This is why a thorough PHI inventory looks beyond the obvious databases to the full set of tools and channels where health information can accumulate, often in unexpected places.
The risk of underestimating your PHI footprint
Organizations frequently underestimate how much PHI they hold and where it travels. A single integration, export, or new feature can quietly expand the PHI footprint, pulling new systems into scope. When safeguards do not keep pace, that data sits exposed — precisely the gap that leads to breaches and findings.
Treating PHI mapping as a recurring activity rather than a one-time task keeps your understanding current and your protections aligned with where the data actually lives today.
PHI and third-party vendors
Whenever PHI leaves your systems for a vendor — a cloud host, an analytics tool, a communication platform — that vendor becomes part of your PHI footprint and, in most cases, a business associate requiring a Business Associate Agreement. Tracking which vendors receive PHI is therefore an essential part of knowing where your protected data resides and ensuring it stays protected downstream.
From PHI inventory to risk analysis
A complete PHI inventory feeds directly into the HIPAA-required risk analysis. Once you know what PHI you hold, where it lives, how it flows, and who can access it, you can identify the threats to that data and decide how to mitigate them. In this sense, identifying PHI is not just a definitional exercise — it is the practical first step that makes every subsequent safeguard meaningful and measurable.
Make PHI the anchor of your program
Protected health information is the reason HIPAA exists, so it deserves to be the anchor of how you think about compliance. When you can state precisely what your PHI is, where it lives, how it flows, and who can reach it, the rest of the program — safeguards, agreements, training, and monitoring — follows naturally from that understanding.
Start with a thorough, recurring PHI inventory, extend it to every system and vendor that touches the data, and feed it into your risk analysis. Get the data layer right, and you will find that the obligations that once felt abstract become concrete, prioritized, and achievable.
Free consultation
Need help with HIPAA?
Talk to our certified compliance team — we’ve supported 200+ audits.