PostAcuteTools
Guide · Compliance & Privacy

What Is PHI?

You’ll see “no PHI” warnings all over this site. Here’s what that actually means: what counts as protected health information under HIPAA, the 18 identifiers that turn ordinary data into PHI, and what it takes to call something de-identified.

In short

PHI is individually identifiable health information held or transmitted by a HIPAA covered entity or its business associate. Health data turns into PHI the moment it’s tied to something that identifies the person. Strip every identifier on HIPAA’s list — and have no reason to think the rest still points to someone — and it’s de-identified, no longer PHI.

The plain definition

Protected health information is information that does two things at once: it relates to health — a person’s past, present, or future physical or mental health, the care they received, or payment for that care — and it identifies the person, or could reasonably be used to. When a HIPAA covered entity or business associate creates, receives, maintains, or transmits that information, it’s PHI (45 CFR 160.103). In electronic form it’s often called ePHI, which is what the HIPAA Security Rule is built around.

Health informationdiagnosis, vitals, meds, payment+An identifiername, MRN, DOB, SSN…=PHIprotected health informationremove the 18 identifiersDe-identifiedno longer PHI
Health data becomes PHI when it is tied to something that identifies the person.

The key idea is the pairing. Health facts on their own aren’t automatically PHI — a spreadsheet of blood pressures with nothing tying it to a person isn’t protected. Add a medical record number to that same spreadsheet and the whole thing becomes PHI, because now it identifies people.

Who has to protect it?

HIPAA applies to covered entities — health care providers who bill electronically, health plans, and clearinghouses — and to the business associates that handle PHI on their behalf. In post-acute care, your skilled nursing facility, home health agency, or hospice is the covered entity; your billing service, clearinghouse, and EHR or software vendors are business associates, bound by a Business Associate Agreement (BAA).

PHI MUST BE PROTECTED HERECovered entityyour SNF, home health, or hospiceBusiness associatebilling, clearinghouse, EHR vendorBAAA Business Associate Agreement (BAA) extends HIPAA duties to vendors that handle PHI on your behalf.
Who has to protect PHI: covered entities and their business associates.

The 18 identifiers

HIPAA lists 18 identifiers in its Safe Harbor de-identification method. If health information is linked to any of them in a covered-entity or business-associate context, treat it as PHI. They span who a person is, where they are, when things happened, how to reach them, and what they own:

1Names2Geography smaller than a state3Dates (except year) for a person4Phone numbers5Fax numbers6Email addresses7Social Security numbers8Medical record numbers9Health-plan beneficiary #s10Account numbers11Certificate / license #s12Vehicle IDs & license plates13Device IDs & serial #s14Web URLs15IP addresses16Biometric IDs (prints)17Full-face photos & similar18Any other unique code
HIPAA’s 18 Safe Harbor identifiers (45 CFR §164.514). Remove all 18 — with no reason to think the rest still identifies someone — and the data is de-identified.

Two caveats worth knowing. First, removing the 18 is only half of Safe Harbor — you must also have no actual knowledge that the remaining data could identify someone (the other path, Expert Determination, has a qualified expert certify the re-identification risk is very small). Second, this list was first written in 1999. It’s a floor, not a ceiling: small data sets, rare conditions, or details like a social-media handle can still re-identify a person even after all 18 are gone, so judgment still matters.

Is it PHI? A few quick reads

  • Vital signs with no identifiers — not PHI on their own.
  • That same set plus a medical record number — now PHI; one identifier protects the whole record.
  • A claim or 835 remittance tied to patients — PHI; it carries names, member IDs, and dates of service.
  • A worksheet using made-up names and amounts — not PHI; nothing points to a real person.
  • A data set with all 18 identifiers removed — de-identified, and no longer PHI.

Why this matters on PostAcuteTools

Every tool here runs entirely in your browser — nothing you type is stored, logged, or sent anywhere. Even so, we ask you to use de-identified examples and keep PHI out, for two reasons: it’s simply good practice, and anything you choose to export — a workflow PDF, a saved .json — will contain whatever you typed, so it travels with you. You never need real patient data to use a calculator; made-up values work exactly the same.

Key takeaways

  • PHI = health information + something that identifies the person, handled by a covered entity or business associate.
  • Health data alone isn’t PHI; a single identifier can make a whole record PHI.
  • HIPAA’s 18 Safe Harbor identifiers are the checklist for de-identification — but they’re a floor, not a guarantee.
  • De-identified data (Safe Harbor or Expert Determination) is no longer PHI.
  • On this site, keep PHI out and use de-identified examples — especially before exporting anything.

Where to go next

Workflow Builder →Remittance Tools →All Guides →

Last reviewed May 2026. Educational overview only — not legal advice. PHI and de-identification are defined in the HIPAA Privacy Rule (45 CFR 160.103 and §164.514); verify specifics against the U.S. HHS Office for Civil Rights’ de-identification guidance and HIPAA for Professionals, and consult your organization’s privacy officer or counsel.