What is not considered Protected Health Information?

Protected health information (PHI) generally does not include individually identifiable health information that is not transmitted or maintained in any form or medium, such as information that is not created or received by a covered entity or business associate, or information that is de-identified in accordance with the HIPAA Privacy Rule standards. Protected Health Information (PHI) is an important concept in healthcare data management, particularly in regulatory frameworks such as the Health Insurance Portability and Accountability Act (HIPAA). Understanding what constitutes PHI and, conversely, what falls outside its scope is necessary for healthcare professionals tasked with safeguarding patient information and ensuring compliance with relevant laws and regulations.

PHI, as defined by HIPAA, includes any individually identifiable health information that is transmitted or maintained in any form or medium by a covered entity or its business associates. This includes information relating to an individual’s past, present, or future physical or mental health condition, the provision of healthcare services to that individual, or payment for healthcare services. Individually identifiable information refers to data that can be used to identify a specific individual, such as their name, address, Social Security number, medical record number, or any other unique identifier.

However, it is equally important to recognize what does not fall under the scope of PHI. One example is health information that is not created or received by a covered entity or its business associates. If an individual shares their medical history or symptoms directly with a friend or family member without involving a healthcare provider, that information would not be considered PHI under HIPAA. Similarly, if an employer gathers health-related data from its employees for reasons unrelated to healthcare operations or payment, such information would not be subject to HIPAA regulations. PHI also does not include health data that has been de-identified in accordance with the HIPAA Privacy Rule standards. De-identification involves removing or altering specific identifiers that could be used to link the information to an individual. There are two methods recognized by HIPAA for de-identification: expert determination and the safe harbor method. The expert determination method requires the involvement of a qualified expert who assesses the risk of re-identification based on various factors, including the nature of the data and the intended use. The safe harbor method involves removing specific identifiers listed in the HIPAA Privacy Rule, such as names, dates of birth, and geographic subdivisions smaller than a state, and ensuring that no other identifying information is disclosed.

Healthcare professionals need to understand the implications of PHI and its exemptions to ensure compliance with HIPAA regulations and maintain patient confidentiality. Failure to safeguard PHI can have serious legal and ethical ramifications, including financial penalties and reputational damage for covered entities and their business associates. Healthcare organizations must implement policies and procedures for handling PHI, including training staff on privacy and security best practices, conducting regular risk assessments, and implementing appropriate safeguards to protect sensitive information.

Healthcare professionals should be mindful of the new technologies and threats to PHI security. With the increasing digitized healthcare data and interconnected systems, the risk of data breaches and unauthorized access has become more prevalent. Healthcare organizations must invest in cybersecurity measures, such as encryption, access controls, and intrusion detection systems, to mitigate these risks and ensure the confidentiality, integrity, and availability of PHI.

Healthcare professionals should also be aware of other regulations and standards governing the protection of health information, both at the federal and state levels. For example, the Health Information Technology for Economic and Clinical Health (HITECH) Act introduced additional provisions to strengthen privacy and security protections for electronic health records (EHRs) and promote the adoption of health information technology. State laws may also impose additional requirements or provide greater protections for certain types of health information. So healthcare organizations operating across multiple jurisdictions must be careful with their compliance efforts.

Healthcare professionals have an ethical obligation to respect patient privacy and confidentiality. Patients trust healthcare providers with sensitive information about their health and well-being, and it is important to honor that trust by ensuring that their information is handled with care and discretion. This includes obtaining informed consent for the collection, use, and disclosure of PHI, providing patients with clear explanations of how their information will be used and protected, and allowing them to exercise their rights under HIPAA, such as the right to access their medical records and request amendments to inaccuracies.


While PHI plays an important role in quality healthcare provision and effective care coordination, it also poses risks if not adequately protected. Healthcare professionals must understand the scope of PHI under HIPAA, including its exemptions and regulatory requirements, and take steps to safeguard patient information against unauthorized access, disclosure, and misuse. By prioritizing privacy and security and adhering to best practices, healthcare organizations can keep patient trust, mitigate legal and reputational risks, and advance the goal of delivering patient-centered care.