top of page

What Counts as PHI Under HIPAA in 2025?

  • Writer: Patient Protect Editorial Team
    Patient Protect Editorial Team
  • Apr 23
  • 4 min read

Updated: Apr 26

A Practical Guide for Providers, Business Associates, and Digital Health Innovators


In an era where health data moves across patient portals, wearables, and AI-driven systems, the definition of Protected Health Information (PHI) has never been more important—or more misunderstood.

Protected Health Information (PHI) includes sensitive data like genetic profiles, biometric identifiers, and any info that can tie health records to individual identity.
Protected Health Information (PHI) includes sensitive data like genetic profiles, biometric identifiers, and any info that can tie health records to individual identity.

If you're a covered entity, business associate, or health tech innovator, it's essential to understand not just what PHI is, but also when it applies, who it protects, and how it shapes compliance strategy. This guide cuts through the legal jargon to deliver exactly that.


What Is PHI?

PHI under HIPAA is individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate, in any form—electronic, paper, or oral.

That means:


  • If it’s health-related,

  • Tied to a person (directly or indirectly), and

  • Held by a healthcare provider, plan, or their partner...

…it’s PHI.


PHI Isn’t a List—It’s a Context

The biggest misconception? That PHI is just a static list of 18 identifiers. While those identifiers matter, PHI is about context. Specifically:

  • Health Information: Any info about physical/mental health, healthcare services, or payment.

  • Individually Identifiable: Anything that can reasonably identify the person.

  • Held by a HIPAA-Regulated Entity: Covered entity or business associate, in a designated record set.


PHI in Action: A Real Example

Let’s say a clinic records “Jamie has Type 1 diabetes” in their patient portal. That’s PHI.

If a smartwatch company tracks Jamie’s glucose level but isn’t acting as a business associate? That’s not PHI—though it may still be protected under FTC or state rules.


Designated Record Sets: The Hidden Backbone of PHI

A Designated Record Set (DRS) is any group of records used to make decisions about an individual. It could be a full EHR system, or even one photograph.

Example: A parent sends a picture of their newborn to a pediatrician’s office. That picture, stored in the patient file = PHI. A thank-you card with the baby’s name = also PHI, because it's in the same DRS.


This is why non-health info becomes PHI if it's stored with health info in a DRS.


Who Must Protect PHI?

  • Covered Entities: Healthcare providers, health plans, healthcare clearinghouses.

  • Business Associates: Any vendor or service provider handling PHI on behalf of a covered entity.


Reminder: Even if you’re just storing PHI for a client (e.g., IT provider, transcription service), you’re bound by HIPAA.


What PHI Isn’t

Some data might look like PHI but legally isn’t:

  • Student medical records: Covered by FERPA, not HIPAA.

  • Employment-related health data: Part of HR files, not HIPAA.

  • Personal health apps (unless contracted by a covered entity): Not covered under HIPAA, but may fall under FTC’s Health Breach Notification Rule.

When Identifiers Turn Health Info Into PHI

HIPAA’s “Safe Harbor” rule lists 18 identifiers that, when paired with health data, create PHI. Examples include:

  • Name

  • Address (smaller than state)

  • Dates (birth, admission, discharge)

  • Contact details

  • Social Security and medical record numbers

  • IP address, photos, biometrics

But here's the 2025 reality: even if these are removed, re-identification is still possible. That’s why a more rigorous approach (like the Expert Determination method) is often required when sharing de-identified data.

De-Identification: When PHI Becomes Freely Usable

There are two paths to safely use health data without HIPAA risk:

  1. Safe Harbor: Remove all 18 identifiers, and don’t have actual knowledge the data can still identify someone.

  2. Expert Determination: A qualified statistician assesses and certifies that the risk of re-identification is “very small.”

Use de-identification when publishing research, building AI models, or sharing aggregate outcomes—but be aware: de-identified does not mean risk-free.

Access, Amendments, and Disclosure: PHI Rights You Can’t Ignore

Patients have rights over their PHI, and failure to honor those rights can trigger costly OCR investigations. Covered entities must:

  • Provide access to PHI (within 15 days under new HHS proposals)

  • Honor requests for corrections

  • Track disclosures (with a 6-year history available upon request)

Operational Pitfalls: Too Loose vs. Too Locked Down

  • Too loose? A scheduler emails PHI without encryption = breach.

  • Too tight? Locking transport info behind credentials so no one can access it? That’s a workflow failure.

HIPAA isn’t just about protection. It’s about balancing security with usability—especially under the Minimum Necessary Rule.

2025 Watchouts: Where PHI Protection Is Headed

  • AI-generated diagnostics must meet HIPAA security standards.

  • Interoperability rules mean PHI will move more freely—and securely—between providers.

  • State-level laws (like Washington’s My Health My Data Act) now protect health data beyond HIPAA’s reach.

Quick FAQ: Modern PHI Questions

Is a name alone PHI? No—only when stored with health info in a DRS.

Are appointment calls PHI? Not until they include medical context or are logged in a patient record.

Is a photo PHI? Yes, if it identifies a patient and is stored by a covered entity.

Are wearables regulated under HIPAA? Only if they’re part of a service on behalf of a covered entity.

Can a baby wall photo in a clinic be PHI? Yes—if it identifies the patient and is linked to their care.

Final Thought: It’s Not Just About Compliance—It’s About Trust

At its core, HIPAA’s PHI protections are about one thing: safeguarding patient trust. In 2025, that means not only knowing what counts as PHI—but proving you can protect it.

Patient Protect helps independent practices exceed HIPAA requirements through real-time dashboards, automated safeguards, and policy frameworks that adapt to both federal law and state-specific demands.

Ready to benchmark your PHI protection strategy?


bottom of page