Which of the Following is Not Protected Health Information (PHI)?
Understanding which of the following is not protected health information (PHI) is critical for anyone working in healthcare, insurance, or administrative roles within the medical field. In practice, in an era where data breaches are common and patient privacy is a fundamental right, distinguishing between what constitutes PHI and what does not is the first line of defense in maintaining compliance with the Health Insurance Portability and Accountability Act (HIPAA). Failure to make this distinction can lead to severe legal penalties, massive fines, and a loss of trust between a provider and their patients.
Introduction to Protected Health Information (PHI)
Before we can determine what is not PHI, we must first define what it is. Protected Health Information (PHI) refers to any individually identifiable health information that is transmitted or maintained in any form—whether electronic, paper, or oral—by a covered entity Not complicated — just consistent. Simple as that..
A covered entity typically includes healthcare providers (doctors, clinics, pharmacies), health plans (insurance companies), and healthcare clearinghouses. So for information to be classified as PHI, it must meet two specific criteria:
- It must relate to the past, present, or future physical or mental health of an individual.
- It must contain identifiers that can be used to link the information to a specific person.
If a piece of data is stripped of all identifiers—a process known as de-identification—it is no longer considered PHI. This is the core concept that helps us identify what falls outside the scope of HIPAA protection.
The 18 Identifiers of PHI
To understand what is not PHI, you must first recognize the 18 identifiers that HIPAA considers "identifiable." If any of these are attached to health data, the information is protected:
- Names
- Geographic subdivisions smaller than a state (street address, city, zip code)
- All elements of dates (except year) directly related to an individual (birth date, admission date, discharge date)
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers (including license plate numbers)
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
Which of the Following is Not Protected Health Information?
When looking at a list of data points, the key to identifying what is not PHI is to look for information that is either completely anonymous or does not relate to a person's health status.
1. De-identified Data
The most common example of what is not PHI is de-identified data. Once all 18 identifiers listed above are removed, the remaining data is no longer protected. As an example, if a research study states, "A 45-year-old male in New York suffered a myocardial infarction," this is not PHI because there is no name, specific date, or unique ID that allows a reader to identify exactly who that man is Worth keeping that in mind..
2. General Health Information
Information that discusses health topics in a general sense is not PHI. Here's a good example: a brochure explaining the symptoms of diabetes or a public health announcement about flu vaccine availability is educational material, not PHI. Because it does not relate to the health of a specific individual, it does not require HIPAA protection Worth keeping that in mind..
3. Employment Records
One of the most confusing areas of HIPAA is the distinction between medical records and employment records. Information contained in employment records held by a covered entity in its role as an employer is not PHI. As an example, a note in a personnel file stating that an employee took a sick day is an employment record, not a medical record, and therefore is not protected by HIPAA (though it may be protected by other labor laws).
4. Anonymized Aggregate Data
When data is aggregated for statistical purposes, it ceases to be PHI. Take this: a report stating that "30% of patients at a clinic have high blood pressure" is aggregate data. Since the report describes a group rather than an individual, it is not PHI.
5. Information Not Held by a Covered Entity
HIPAA only applies to covered entities and their business associates. If you tell your friend about your medical condition at a coffee shop, that information is private, but it is not "PHI" in the legal sense because your friend is not a covered entity. Similarly, data entered into a non-HIPAA compliant fitness app (that is not linked to a healthcare provider) is generally not considered PHI under federal law, though it may be subject to the app's own privacy policy.
Scientific and Legal Explanation: The Safe Harbor Method
The legal standard for determining what is not PHI is often guided by the Safe Harbor Method. This is a scientific approach to data scrubbing. Under this method, health information is not PHI if there is no reasonable basis to believe that the information can be used to identify an individual Simple as that..
The Safe Harbor method requires the removal of all 18 identifiers. If a data set is "Safe Harbored," it can be used for research, public health reporting, and statistical analysis without violating privacy laws. This is why medical journals can publish case studies; they remove the patient's name, exact dates, and specific locations to ensure the data is no longer PHI.
Comparison Table: PHI vs. Non-PHI
| Information Type | Status | Why? |
|---|---|---|
| Patient Name + Diagnosis | PHI | Contains a name and health status. |
| Patient ZIP Code + Diagnosis | PHI | Geographic identifiers are protected. |
| "A patient has Diabetes" | Not PHI | No identifiers are present. |
| Employee Sick Leave Note | Not PHI | Classified as an employment record. |
| Clinic's Total Monthly Revenue | Not PHI | Financial business data, not patient health data. |
| Patient's Email + Appointment Time | PHI | Email is a direct identifier. |
Frequently Asked Questions (FAQ)
Is a patient's name by itself PHI?
Technically, a name is an identifier, but for it to be PHI, it must be linked to health information. That said, in a clinical setting, a patient list (even without diagnoses) is usually treated as PHI because the fact that the person is a patient at a specific clinic reveals something about their health status.
Is an IP address considered PHI?
Yes, if the IP address is linked to a patient's health record or a patient portal login, it is one of the 18 identifiers and is therefore PHI.
Is a birth year PHI?
Under the Safe Harbor method, the year is generally acceptable. That said, the full date of birth (Month/Day/Year) is strictly PHI It's one of those things that adds up..
Does HIPAA protect my data on a Fitbit or Apple Watch?
Generally, no. Unless that device is provided by your doctor as part of a treatment plan and the data is sent directly to your medical record, the data is governed by the company's Terms of Service, not by HIPAA.
Conclusion
Distinguishing between PHI and non-PHI is a vital skill for anyone in the healthcare ecosystem. To determine if something is not PHI, ask yourself two questions: Is this linked to a specific person? and Does it reveal health information? If the answer to either is "no," the information likely falls outside the scope of PHI.
By focusing on de-identification and understanding the 18 identifiers, professionals can share data for research and administration while ensuring that patient privacy remains inviolable. Remembering that employment records and aggregate statistics are not PHI helps streamline administrative workflows without risking legal non-compliance. Protecting patient data is not just a legal requirement—it is an ethical commitment to the people who trust providers with their most sensitive information.
