Protected Health Information (PHI) encompasses any data in a medical record that can identify an individual and was created, used, or disclosed during a healthcare service. This includes demographic data, medical histories, test results, insurance information, and other identifiers that link a patient to specific care. The HIPAA Privacy Rule governs its use and disclosure.
Glossary
Protected Health Information (PHI)

What is Protected Health Information (PHI)?
Protected Health Information (PHI) is any individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or medium, that is protected under the HIPAA Privacy Rule.
PHI exists in all media forms—electronic (ePHI), paper, and oral communications. The 18 identifiers specified in the Safe Harbor Method define what must be removed for de-identification, including names, dates, geolocation data smaller than a state, and biometric identifiers. A Business Associate Agreement (BAA) is legally required before any third party handles PHI.
Core Characteristics of PHI
Protected Health Information is defined by specific characteristics that link health data to an individual. Understanding these 18 identifiers and the concept of 'individually identifiable' is critical for HIPAA compliance.
The 18 HIPAA Identifiers
Under the Safe Harbor Method, PHI is defined by the presence of any of 18 specific identifiers. If a record contains health information and any one of these, it is PHI.
- Names (patient, relatives, employers)
- Geographic subdivisions smaller than a state (street address, city, county, zip code)
- Dates directly related to an individual (birth, admission, discharge, death)
- Telephone and fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plates
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voice prints)
- Full-face photographic images and comparable images
- Any other unique identifying number, characteristic, or code
Individually Identifiable
The core legal test for PHI is whether the information can be used to identify an individual. This is not limited to explicit identifiers like a name.
- Re-identification risk: A combination of seemingly innocuous data points (e.g., a rare diagnosis + a zip code + an age) can create a unique fingerprint that identifies a person.
- Expert Determination: A qualified statistician must certify that the risk of re-identification is very small for a dataset to be considered de-identified under this alternative method.
- Relatives & Household: PHI includes information that could identify not just the patient, but also their relatives, employers, or household members.
Form & Medium Agnostic
HIPAA protection is not limited to digital data. PHI exists in any form or medium.
- Electronic PHI (ePHI): Stored on a hard drive, in the cloud, on a USB stick, or transmitted via email. This is the primary focus of the HIPAA Security Rule.
- Physical PHI: Paper charts, printed lab results, X-ray films, and handwritten physician notes. These are protected by physical safeguards like locked cabinets.
- Verbal PHI: Oral communications containing identifiers, such as a hallway consultation about a named patient. The Privacy Rule requires reasonable safeguards for these discussions.
Protected Health Information vs. De-identified Data
The regulatory boundary is crossed when PHI is successfully de-identified. Once de-identified, the data is no longer subject to HIPAA.
- Safe Harbor: Removal of all 18 identifiers and no actual knowledge that the remaining data could re-identify the individual.
- Expert Determination: A statistical analysis proves the risk of re-identification is vanishingly small.
- Limited Data Set: A middle ground where direct identifiers are removed, but dates and geography can remain. This is still PHI and requires a Data Use Agreement.
- Clinical AI Implication: Models trained on de-identified data do not process PHI, but the de-identification pipeline itself must be rigorously validated to prevent leaks.
Covered Entities & Business Associates
PHI status is also defined by who holds the data. The same data point in different hands has different regulatory status.
- Covered Entities: Health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. They are directly subject to HIPAA.
- Business Associates: A person or entity that performs functions or activities involving the use or disclosure of PHI on behalf of a covered entity (e.g., a cloud AI provider, a billing company). They are contractually bound by a Business Associate Agreement (BAA).
- Non-Covered Entities: If a tech company collects the same health data directly from a consumer via a wellness app and is not acting on behalf of a covered entity, that data is generally not PHI under HIPAA (though it may be protected by other state or FTC regulations).
The Minimum Necessary Standard
A core principle governing the use of PHI is that access must be limited to the minimum amount necessary to accomplish the intended purpose.
- Role-Based Access Control (RBAC): A billing clerk should not have access to full clinical notes; a researcher should not see direct identifiers.
- AI Processing: When an AI model processes clinical text for a specific task (e.g., prior authorization), the system should ideally only extract and expose the data elements required for that task, masking or ignoring all other PHI.
- Exception: This standard does not apply to disclosures for treatment to a healthcare provider, as the clinician needs the full picture.
Frequently Asked Questions
Clear answers to the most common questions about Protected Health Information, its regulatory framework, and the technical safeguards required for HIPAA-compliant AI deployment.
Protected Health Information (PHI) is any individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or medium, that is protected under the HIPAA Privacy Rule. This includes demographic data, medical histories, test results, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care. The key qualifier is individually identifiable—if the information can be reasonably used to identify a patient, it is PHI. The HIPAA Privacy Rule protects PHI regardless of its format, whether it is spoken, written on paper, or stored electronically. When PHI is stored or transmitted digitally, it is specifically referred to as electronic Protected Health Information (ePHI) and is subject to the additional technical safeguards of the HIPAA Security Rule. Common examples of PHI include:
- A patient's name, address, and date of birth linked to a diagnosis
- A medical record number associated with a radiology image
- An email containing a patient's insurance ID and treatment plan
- Biometric identifiers like fingerprints or full-face photographs used in a clinical context
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Mastering PHI requires understanding the full regulatory, technical, and operational framework that governs its protection. These related concepts form the essential vocabulary for building and auditing HIPAA-compliant AI systems.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us