What is Protected Health Information? A Complete Guide

You’ve probably heard of HIPAA and its PHI component, or Protected Health Information. What it is exactly might still be a bit of a mystery to you.

HIPAA stands for Health Insurance Portability and Accountability Act. It was signed into effect in 1996 by Former President Bill Clinton. The main purpose of it was to ensure that people’s health information was protected and that it could not be leaked to third parties.

It is exclusive to the United States, though many other countries have similar laws on their books.

The plan also seeks to protect people with pre-existing conditions, so that their employer cannot deny them insurance based on their health status.

But what about PHI or Public Health Information? What does it mean to the individual?

Read on and we’ll help you get a better idea of what PHI actually is and how the information is used and protected within the United States.

Protected Health Information: The Basics

PHI, at the most basic level, refers to the health information of an individual that is created or received by a third party. This can mean health information that is recorded or given to a health care provider, public health authorities, employer, life insurance, school or university or health insurance provider.

Essentially, this means any information given to these entities, whether through word-of-mouth or in written form, is private. In order to pass on any information to such entities, you must sign a document stating that you approve of the disclosure.

The entities, however, may pass on confidential information as long as they cannot identify you personally. As long as identifying information is removed, it is free reign for use. This may be done for information on student and employee health, government quotas or public health statistics.

What is the Purpose?

The purpose of PHI is the o protect privacy of the individual. Not everyone is comfortable with their medical information being public record, and the laws are in place with respect to that.

The other major purpose of PHI is to ensure that there is no discrimination by employers, schools, health insurers. It is also in place to protect against social stigmas.

Some diseases, such as mental health illnesses, still carry a significant social stigma. As such, those who suffer from them may not be comfortable with their information being shared widely or publicly.

What Information Does PHI Refer To?

PHI refers to information about a person’s mental or physical health. This does not only mean current information, but also includes past diagnoses and the prognoses of current conditions.

The rules also refer to payments made by the individual for treatments or medications.

What Does Identifying Information Refer To?

Although information about drug use and health may be used for data collection, all aspects of personally identifiable information must be removed before it is entered.

This refers to information that can identify the individual, or gives people a basis to believe that the individual could reasonably be identified.

In some cases, this could refer to specific diagnoses if they are very rare and the sufferer is known to the community. However, in most instances, a diagnosis alone is not enough to violate PHI.

For example, stating that most people who have lupus are diagnosed between the ages of 15 and 45 is not a PHI violation. Stating that one female was diagnosed with lupus at the age of 17 on March 15, 2014, in San Francisco would be a violation of PHI. This is because the date, age, diagnosis and city of the individual would make it possible to identify her.

What are Considered Identifying Factors?

There are 18 factors that HIPAA considers identifying factors. They are, however, not an exhaustive list. Other information may be a violation of PHI if it is ruled that it would be possible to identify the person in question. All factors must be removed before discussing the individual.

The 18 identifiable factors are:

    • Name
    • Geographic location: This is defined as anything smaller than a state, including city and street address.
    • Dates: Any information that can be linked to an individual, such as birthdate, death date, diagnosis date, hospital admission date, etc., is against PHI. Referring to the year is acceptable, except whereby the patient is over the age of 90.
    • Telephone number
    • Fax number
    • E-mail address
    • Social security number
    • Medical record number: This does not include randomized numbers given to cases to keep the file anonymous. It does refer to insurance numbers or hospital numbers whereby someone could find the individual’s identity through it.
    • Health plan numbers
    • Any account numbers which link to the individual’s identity
    • License numbers: This includes a driving licenses, a teaching license, or any license that would allow someone to identify the individual in question.
    • Car serial numbers or license plate numbers
    • Device serial numbers: This would include computer serial numbers, phone serial numbers or tablet serial numbers. These serial numbers can trace ownership back to a particular individual.
    • Websites that are unique to the individual such as a Facebook profile or Twitter profile
    • IP address
    • Biometric data like fingerprints, voice prints and retinal images.
    • A full-face photograph or photograph that might identify an individual. Generally, photographs with the identify redacted, such as by blurring the face or taking photos of other areas of the body, is acceptable under PHI.
    • Anything else that may reasonably identify the individual.

Once all 18 factors are revoked, the information may be passed along to third-party entities without the express permission of the individual.

HIPAA Compliance

Public Health Information is a very important part of HIPAA compliance. Your company should be vigilantly aware of what information makes an individual identifiable, specifically when it comes to sensitive data. HIPAA violations can lead to a penalty of no less than $10,000, so it is important that your company is following all rules and regulations.

It is also important that your company is covered and able to deal with security breaches, which could put PHI information at risk.

You can refer to our website for more information on how to help your company ensure it is in compliance with HIPAA.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top