Definition · Plain-language
Protected health information (PHI)
Protected health information (PHI) is individually identifiable health information that is held or transmitted by a HIPAA covered entity or its business associates.
The step most authors miss
Doing CRediT right? Don’t stop at the statement.
A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.
Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.
What makes information PHI
Information becomes PHI when it is individually identifiable health information held by a HIPAA covered entity — such as a health plan, healthcare clearinghouse or provider that transmits health data electronically — or by a business associate acting on its behalf. The content must relate to a person’s past, present or future physical or mental health, the provision of care, or payment for that care, and must be linkable to an individual. The same health fact outside this covered context is not PHI in the HIPAA sense.
The 18 HIPAA identifiers
HIPAA recognises 18 categories of identifiers that, when attached to health information, make it identifiable. These include names, geographic detail below state level, most dates tied to a person, telephone and fax numbers, email addresses, national insurance-style identifiers, medical record and account numbers, biometric identifiers, full-face photographs and device or web identifiers. Removing all 18 under the Safe Harbor method is one recognised route to de-identification, after which the data is no longer treated as PHI.
PHI versus PII and personal data
PHI is best understood as a context-specific subset. PII is the broad US category of data that can identify a person; PHI is the health-context slice of that universe that falls under HIPAA. In the EU, equivalent information would be personal data, with health data treated as special category data under GDPR Article 9. The same underlying fact can therefore be described differently depending on jurisdiction and the body that holds it.
Key facts
At a glance
- Definition: individually identifiable health information held by a HIPAA covered entity
- Law: US HIPAA Privacy Rule
- Identifiers: 18 HIPAA identifier categories
- Covered entities: health plans, clearinghouses, providers, business associates
- Relationship: health-context subset of PII
- De-identified: PHI with all 18 identifiers removed is no longer PHI
Common misconceptions
What people often get wrong
Often heard: All health information about a person is automatically PHI.
Actually: Information is PHI only when it is individually identifiable health information held or transmitted by a HIPAA covered entity or business associate. The same fact held outside that context is not PHI in the HIPAA sense.
Often heard: PHI and PII are completely separate categories.
Actually: PHI is a subset of PII. It is the health-context slice of identifiable information that falls specifically under HIPAA, while PII is the broader category of any identifying data.
Often heard: Removing the patient name turns PHI into de-identified data.
Actually: Safe Harbor de-identification requires removing all 18 HIPAA identifier categories — not just the name — or using Expert Determination to certify a very small re-identification risk.
Going deeper
