What is PHI under HIPAA?
Protected health information (PHI) is health information in any form – physical, electronic, or verbal information. PHI is any identifiable health information that is used, maintained, stored, or transmitted by a Covered Entity (healthcare providers, health plans, insurers, etc.) or Business Associate (IT service providers, attorneys, billing services, evaluation services, etc.).
Quick Tip: If your data includes individual or demographic identifiers consider it PHI.
The U.S. Department of Health & Human Services (HHS) has published a comprehensive list of the 18 established identifiers that make health information PHI. One or more of these identifiers turns health information into PHI.
- Names
- Dates, except year
- Telephone numbers
- Geographic data
- FAX numbers
- Social Security numbers
- Email addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Web URLs
- Device identifiers and serial numbers
- Internet protocol addresses
- Full face photos and comparable images
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Any unique identifying number or code