Under the HIPAA law, covered entities and business associates are required to adopt certain security regulations to protect PHI. In simpler terms, PHI is any individually identifiable healthcare information, created or received by health providers, health plan operators, or healthcare clearinghouses. PHI might contain the past, present, or future health condition, either in physical or mental terms. Generally, PHI can be used to identify a particular individual concerning data that is either stored or transmitted in any given form, including oral, written, or electronic.

However, PHI does not refer to educational records nor employment records which are maintained by a covered entity as that entity’s role as an individual’s employer. Very similar to PII, PHI includes the following:

  • Name
  • All dates that are directly linked to an individual, such as date of birth, date, administration, and discharge
  • Mobile, fax, and telephone numbers
  • Geographic subdivisions such as zip codes, street numbers, county, and email addresses.
  • Health plan beneficiary and medical record numbers.
  • Account or certificate numbers.
  • Vehicle identification and Social Security numbers.
  • Biometric identifiers, such as fingerprints or voice.
  • Full face photographs or other recognizable features.
  • Unique code-based or characteristics numbers.

To learn how you can streamline your HIPAA compliance efforts, click here.

HIPAA Compliance Management Application

Reduce Administrative Burden

See all the information in a centralized space

Keep your team updated with regular information

Contact Us


The Difference Between PII and PHI