Protected Health Information (PHI)

Individually identifiable health information: 

  1. Except as provided in paragraph (2) of this definition, that is: 

    1. Transmitted by electronic media; 

    2. Maintained in any medium described in the definition of electronic media at § 162.103 of this subchapter; or 

    3. Transmitted or maintained in any other form or medium.

  2. Protected health information excludes individually identifiable health information in: 

    1. Education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; and 

    2. Records described at 20 U.S.C. 1232g(a)(4)(B)(iv).

PHI includes references to not only the patient, but also their relatives, employers, or household members. 

The items that constitute PHI:

  1. Name
  2. Address
  3. Phone Numbers
  4. Fax Number
  5. Dates (birth, death, admission, discharge, etc.)
  6. Social Security Number
  7. E-mail Address
  8. Medical Record Numbers
  9. Health Plan Beneficiary Numbers
  10. Account Numbers
  11. Certificate or License Numbers
  12. Vehicle Identifiers and Serial Numbers, including license plate numbers
  13. Device Identifiers and Serial Numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) Address Numbers
  16. Biometric Identifiers, including finger and voice prints
  17. Full Face Photographic Images and any comparable images
  18. Any other unique identifying number, characteristic, or code
  19. Patient's Medical History

Exclusion for Employment Records

 The final Rule clarifies that employment records maintained by a covered entity in its capacity as an employer are 


 from the definition of protected health information. The modifications do not change the fact that individually identifiable health information created, received, or maintained by a covered entity in its health care capacity is protected health information. 

All Rights Reserved ©