What is Protected Health Information (PHI)?

Protected Health Information (PHI) is individually identifiable health information held or transmitted by a HIPAA covered entity or business associate, in any form — paper, oral, or electronic. The Privacy Rule lists 18 identifiers (name, dates, addresses, medical record numbers, and more) that, when tied to health data, make information PHI. Electronic PHI is called ePHI.

PHI is the core thing HIPAA protects, so defining it correctly determines the scope of every policy you write. If your team cannot say precisely what counts as PHI — and that it includes spoken conversations, faxes, voicemails, and database records, not just charts — then access controls, the minimum necessary standard, and breach analysis all rest on shaky ground.

A concrete example: a billing spreadsheet that pairs patient names with appointment dates and diagnosis codes is PHI; the same diagnosis statistics with all 18 identifiers stripped out (de-identified data) generally fall outside HIPAA. Misjudging that line is how practices accidentally email PHI without safeguards.

Documented data-classification and PHI-handling policies make audit prep faster because they show, on paper, that staff know what PHI is and how to treat it. Templates accelerate that documentation, but they do not by themselves make a practice HIPAA-compliant — you still have to apply the safeguards and train your people.

Related terms: HIPAA Privacy Rule · HIPAA Security Rule · Minimum Necessary Standard · Data Classification

Frequently asked questions

What are the 18 HIPAA identifiers?
They include names; geographic data smaller than a state; all dates tied to an individual; phone, fax, and email; Social Security, medical record, health plan, and account numbers; certificate/license numbers; vehicle and device identifiers; URLs and IP addresses; biometric identifiers; full-face photos; and any other unique identifying code. When linked to health information, these make data PHI.
Is a patient's name alone PHI?
Not by itself. A name becomes PHI only when combined with health information or with the fact that the person received care from a covered entity. Context is what makes an identifier protected.
What is the difference between PHI and ePHI?
ePHI is simply PHI that is created, stored, or transmitted in electronic form. The Privacy Rule covers PHI in all formats; the Security Rule applies specifically to ePHI.

Toolkits that cover Protected Health Information (PHI)

HIPAA Security & Privacy Rules

HIPAA Compliance Toolkit — Medical Practices

18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written for small medical practices and clinics.

$7930% off with codeView toolkit
HIPAA Security & Privacy Rules

HIPAA Compliance Toolkit — Dental Practices

18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written specifically for dental offices.

$7930% off with codeView toolkit
HIPAA Security & Privacy Rules

HIPAA Compliance Toolkit — Mental Health Practices

18 editable HIPAA policies written for therapists and behavioral-health practices — teletherapy security, psychotherapy-notes handling — plus the Security Risk Assessment workbook and audit evidence checklist.

$7930% off with codeView toolkit

Learn more in our HIPAA guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.