What Counts as PHI Under HIPAA in 2025?
- Patient Protect Editorial Team
- Apr 23
- 4 min read
Updated: Apr 26
A Practical Guide for Providers, Business Associates, and Digital Health Innovators
In an era where health data moves across patient portals, wearables, and AI-driven systems, the definition of Protected Health Information (PHI) has never been more important—or more misunderstood.
If you're a covered entity, business associate, or health tech innovator, it's essential to understand not just what PHI is, but also when it applies, who it protects, and how it shapes compliance strategy. This guide cuts through the legal jargon to deliver exactly that.
What Is PHI?
PHI under HIPAA is individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate, in any form—electronic, paper, or oral.
That means:
If it’s health-related,
Tied to a person (directly or indirectly), and
Held by a healthcare provider, plan, or their partner...
…it’s PHI.
PHI Isn’t a List—It’s a Context
The biggest misconception? That PHI is just a static list of 18 identifiers. While those identifiers matter, PHI is about context. Specifically:
Health Information: Any info about physical/mental health, healthcare services, or payment.
Individually Identifiable: Anything that can reasonably identify the person.
Held by a HIPAA-Regulated Entity: Covered entity or business associate, in a designated record set.
PHI in Action: A Real Example
Let’s say a clinic records “Jamie has Type 1 diabetes” in their patient portal. That’s PHI.
If a smartwatch company tracks Jamie’s glucose level but isn’t acting as a business associate? That’s not PHI—though it may still be protected under FTC or state rules.
Designated Record Sets: The Hidden Backbone of PHI
A Designated Record Set (DRS) is any group of records used to make decisions about an individual. It could be a full EHR system, or even one photograph.
Example: A parent sends a picture of their newborn to a pediatrician’s office. That picture, stored in the patient file = PHI. A thank-you card with the baby’s name = also PHI, because it's in the same DRS.
This is why non-health info becomes PHI if it's stored with health info in a DRS.
Who Must Protect PHI?
Covered Entities: Healthcare providers, health plans, healthcare clearinghouses.
Business Associates: Any vendor or service provider handling PHI on behalf of a covered entity.
Reminder: Even if you’re just storing PHI for a client (e.g., IT provider, transcription service), you’re bound by HIPAA.
What PHI Isn’t
Some data might look like PHI but legally isn’t:
Student medical records: Covered by FERPA, not HIPAA.
Employment-related health data: Part of HR files, not HIPAA.
Personal health apps (unless contracted by a covered entity): Not covered under HIPAA, but may fall under FTC’s Health Breach Notification Rule.
When Identifiers Turn Health Info Into PHI
HIPAA’s “Safe Harbor” rule lists 18 identifiers that, when paired with health data, create PHI. Examples include:
Name
Address (smaller than state)
Dates (birth, admission, discharge)
Contact details
Social Security and medical record numbers
IP address, photos, biometrics
But here's the 2025 reality: even if these are removed, re-identification is still possible. That’s why a more rigorous approach (like the Expert Determination method) is often required when sharing de-identified data.
De-Identification: When PHI Becomes Freely Usable
There are two paths to safely use health data without HIPAA risk:
Safe Harbor: Remove all 18 identifiers, and don’t have actual knowledge the data can still identify someone.
Expert Determination: A qualified statistician assesses and certifies that the risk of re-identification is “very small.”
Use de-identification when publishing research, building AI models, or sharing aggregate outcomes—but be aware: de-identified does not mean risk-free.
Access, Amendments, and Disclosure: PHI Rights You Can’t Ignore
Patients have rights over their PHI, and failure to honor those rights can trigger costly OCR investigations. Covered entities must:
Provide access to PHI (within 15 days under new HHS proposals)
Honor requests for corrections
Track disclosures (with a 6-year history available upon request)
Operational Pitfalls: Too Loose vs. Too Locked Down
Too loose? A scheduler emails PHI without encryption = breach.
Too tight? Locking transport info behind credentials so no one can access it? That’s a workflow failure.
HIPAA isn’t just about protection. It’s about balancing security with usability—especially under the Minimum Necessary Rule.
2025 Watchouts: Where PHI Protection Is Headed
AI-generated diagnostics must meet HIPAA security standards.
Interoperability rules mean PHI will move more freely—and securely—between providers.
State-level laws (like Washington’s My Health My Data Act) now protect health data beyond HIPAA’s reach.
Quick FAQ: Modern PHI Questions
Is a name alone PHI? No—only when stored with health info in a DRS.
Are appointment calls PHI? Not until they include medical context or are logged in a patient record.
Is a photo PHI? Yes, if it identifies a patient and is stored by a covered entity.
Are wearables regulated under HIPAA? Only if they’re part of a service on behalf of a covered entity.
Can a baby wall photo in a clinic be PHI? Yes—if it identifies the patient and is linked to their care.
Final Thought: It’s Not Just About Compliance—It’s About Trust
At its core, HIPAA’s PHI protections are about one thing: safeguarding patient trust. In 2025, that means not only knowing what counts as PHI—but proving you can protect it.
Patient Protect helps independent practices exceed HIPAA requirements through real-time dashboards, automated safeguards, and policy frameworks that adapt to both federal law and state-specific demands.
Ready to benchmark your PHI protection strategy?
