ePHI (electronic protected health information) is PHI that is created, received, maintained, or transmitted in electronic form — in an EHR system, in email, on a server, on a laptop, on a mobile device, or in cloud storage. The HIPAA Security Rule (45 CFR §§ 164.302–164.318) applies specifically to ePHI and requires covered entities and business associates to implement administrative, physical, and technical safeguards.

Foundational Guide

Protected Health Information (PHI): The 18 Identifiers Explained

Q: What are the 18 PHI identifiers?

The 18 identifiers are: (1) names, (2) geographic data smaller than a state, (3) dates other than year, (4) phone numbers, (5) fax numbers, (6) email addresses, (7) Social Security numbers, (8) medical record numbers, (9) health plan beneficiary numbers, (10) account numbers, (11) certificate/license numbers, (12) vehicle identifiers, (13) device identifiers, (14) web URLs, (15) IP addresses, (16) biometric identifiers, (17) full-face photographs, (18) any other unique identifying number or code.

Q: Is an IP address PHI?

Yes — an IP address is listed as one of HIPAA's 18 identifiers (identifier #15). When an IP address is associated with health information (for example, in the logs of a patient portal), the combination constitutes PHI. This is why analytics tools and advertising pixels embedded in patient-facing web applications are a significant HIPAA compliance concern.

Q: Is de-identified data subject to HIPAA?

No. Data that has been properly de-identified under one of HIPAA's two approved methods — Safe Harbor (removal of all 18 identifiers) or Expert Determination (statistical certification) under 45 CFR § 164.514 — is no longer PHI and is not subject to HIPAA's privacy and security requirements. However, re-identification is prohibited.

By ComplyCreate Editorial Team · Published Apr 24, 2026 · Last reviewed Apr 24, 2026

Quick answer: PHI is any individually identifiable health information that a covered entity or business associate creates, receives, maintains, or transmits — in any form (electronic, paper, or oral). HIPAA specifies 18 categories of data that, when combined with health information, constitute PHI. When a BAA must describe permitted uses and disclosures of PHI, it is these 18 identifiers that define what's being protected.

The concept of protected health information sits at the heart of HIPAA. Understanding exactly what constitutes PHI determines which data must be safeguarded, who must sign BAAs, and what triggers breach notification obligations. The definition is broader than most people assume — it includes far more than just medical records.

The Definition of PHI Under 45 CFR § 160.103

PHI is defined as individually identifiable health information that is transmitted or maintained in any form or medium by a covered entity or business associate. Three elements must be present: (1) the information relates to an individual's past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care; (2) the information identifies the individual or there is a reasonable basis to believe it can be used to identify the individual; and (3) the information is held or transmitted by a covered entity or its business associate.

The 18 PHI Identifiers Under 45 CFR § 164.514

HIPAA's Safe Harbor de-identification standard identifies 18 categories of information that must be removed before health data can be considered de-identified. These 18 identifiers, when combined with health information, constitute PHI:

#	Identifier	What It Includes
1	Names	Full name, first name, last name, initials when combined with other identifiers
2	Geographic data	Street address, city, county, precinct, ZIP codes (except first 3 digits in some cases)
3	Dates	Birth dates, admission/discharge dates, death dates, and ages over 89 (expressed as 90+)
4	Phone numbers	All telephone numbers, including mobile
5	Fax numbers	All fax numbers
6	Email addresses	All email addresses
7	Social Security numbers	Full SSN and partial SSN in many contexts
8	Medical record numbers	Patient chart numbers, case numbers assigned by healthcare organizations
9	Health plan beneficiary numbers	Insurance member IDs, Medicare/Medicaid beneficiary numbers
10	Account numbers	Bank account numbers, financial account identifiers
11	Certificate/license numbers	Driver's license numbers, professional license numbers
12	Vehicle identifiers	License plate numbers, VINs
13	Device identifiers	Serial numbers for medical devices, equipment identifiers
14	Web URLs	Any web address that could identify an individual
15	IP addresses	Internet Protocol addresses — including in web server logs of patient-facing applications
16	Biometric identifiers	Fingerprints, voice prints, retinal scans, facial geometry
17	Full-face photographs	Any comparable images that could identify the individual
18	Any other unique number/code	Any other unique identifying characteristic not listed above

The key principle: health information combined with any of these 18 identifiers is PHI. Health information standing alone — without any identifier — may not be PHI if it cannot reasonably be used to identify the individual.

What Is NOT PHI

Several categories of health information are explicitly excluded from PHI or fall outside HIPAA's scope entirely:

De-identified data: Health information properly de-identified under 45 CFR § 164.514 (either Safe Harbor or Expert Determination method) is no longer PHI and is not subject to HIPAA restrictions.
Employment records: Health information held by employers in their capacity as employers (not as plan sponsors or healthcare providers) — such as FMLA records or occupational health records — is generally not PHI under HIPAA.
Education records: Records governed by FERPA at educational institutions are generally not PHI.
Information held by non-covered entities: A fitness app's health data is not PHI under HIPAA if the app is not a covered entity or business associate. The FTC Act and state health privacy laws may apply instead.

De-Identification Methods: Safe Harbor and Expert Determination

Safe Harbor Method (§ 164.514(b))

Under the Safe Harbor method, data is de-identified when all 18 identifiers listed above are removed AND the covered entity has no actual knowledge that the remaining information could identify an individual. Removing all 18 identifiers is a bright-line test — straightforward to apply but sometimes removing useful context from data.

Expert Determination Method (§ 164.514(b))

Under Expert Determination, a qualified statistical or scientific expert applies generally accepted principles and certifies that the risk of identifying an individual from the remaining information is very small. This method allows retention of some identifiers if statistical analysis supports non-identifiability. It requires a documented analysis by a qualified expert.

Data that has been de-identified under either method may be freely shared, published, or sold without HIPAA restrictions. However, re-identification — attempting to re-link de-identified data to individuals — is prohibited by 45 CFR § 164.502(d).

ePHI vs. PHI: Does Format Matter?

PHI exists in three forms: electronic (ePHI), paper, and oral. The Privacy Rule applies to all three. The Security Rule, however, applies only to ePHI — electronically created, received, maintained, or transmitted PHI. This means your paper records are not governed by the Security Rule's technical safeguard requirements, but they remain subject to the Privacy Rule's access, disclosure, and retention requirements.

ePHI includes information stored in EHR systems, in cloud storage, in email, on laptops and mobile devices, on USB drives, in database backups, in audit logs, and in any other electronic format. The Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards for all ePHI — see our Privacy and Security Rules guide for detail on what these safeguards require.

Practical Examples: What Counts as PHI

A patient's name combined with their diagnosis in a billing record: PHI
A list of patients who visited a clinic in a given month, without names but with ZIP codes: may be PHI depending on population size
An IP address in a patient portal's web server log, linked to a page showing lab results: PHI
A photograph taken in a clinical setting that could identify the patient: PHI
A voice message from a patient to a doctor's office discussing symptoms: PHI (oral)
Aggregate statistics ("15% of our patients have diabetes") with no individual identifiers: not PHI
A fitness tracker's step count for an anonymous user: not PHI under HIPAA (may be covered by other laws)

Frequently Asked Questions

What is PHI in HIPAA?

PHI (protected health information) is any individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate, as defined at 45 CFR § 160.103. It encompasses information in any format — electronic, paper, or oral — that relates to health conditions, health care provision, or payment for care and can be linked to a specific individual.

What are the 18 PHI identifiers?

The 18 identifiers are: names, geographic data smaller than a state, dates other than year, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number or code.

Is an IP address PHI?

Yes — IP addresses are identifier #15 on HIPAA's list. When a patient visits a patient portal and their IP address appears in server logs alongside health information, that combination constitutes ePHI. This is why many healthcare organizations must carefully evaluate analytics tools, advertising pixels, and third-party scripts embedded in patient-facing web applications — they may inadvertently create PHI.

Is de-identified data subject to HIPAA?

No. Data properly de-identified under the Safe Harbor method (all 18 identifiers removed) or Expert Determination method (statistical expert certification) under 45 CFR § 164.514 is no longer PHI and is outside HIPAA's scope. However, re-identification of such data is prohibited, and the de-identification process itself must be documented.

What is ePHI?

ePHI is protected health information that exists in electronic form — in EHR systems, databases, email, cloud storage, on laptops, or on mobile devices. The HIPAA Security Rule (45 CFR §§ 164.302–164.318) governs ePHI specifically and requires covered entities and business associates to implement administrative, physical, and technical safeguards. Paper PHI is covered by the Privacy Rule but not the Security Rule.