Protected Health Information (PHI)

Information constitutes PHI if it is directly related to an individual’s health and contains personal identifiers of the individual as well as for relatives, employers, or household members of the individual.

So, how do you determine if information is PHI?  Information is considered related to an individual’s health if it is associated with: (1) the past, present, or future physical or mental health or condition of the individual; or (2) the provision of or payment for healthcare to the individual. The following types of information may be considered personal identifiers:

  • names of individuals
  • geographic subdivisions smaller than a state, including street address, city, county, and precinct or zip code
  • elements of dates (excluding year) for dates directly related to an individual, including birth date, admission date, discharge date or date of death
  • ages over 89 and elements of dates (including year) indicative of such age
  • telephone numbers
  • fax numbers
  • electronic mail addresses
  • Social Security numbers
  • medical record numbers
  • health plan beneficiary numbers
  • account numbers
  • certificate/license numbers
  • vehicle identifiers and serial numbers, including license plate numbers
  • device identifiers and serial numbers
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers
  • biometric identifiers, including finger and voice prints
  • full face photographic images and comparable images
  • other unique identifying numbers, characteristics or codes