PHI (Protected Health Information) is individually identifiable health information — any data that could identify a patient combined with their health, treatment, or payment information.

What are examples of PHI?

PHI includes patient names, dates of service, geographic data below the state level, phone numbers, email addresses, Social Security numbers, medical record numbers, and diagnosis or treatment information.

Is de-identified data still PHI?

No. Data that has been de-identified using the HIPAA Safe Harbor or Expert Determination method is not considered PHI and falls outside the Privacy Rule.

Healthcare Data GlossaryRegulatory

PHI: Definition and Healthcare Context

Full name: Protected Health Information

Protected Health Information (PHI) is any individually identifiable health information held or transmitted by a HIPAA covered entity or business associate, in any form or medium. PHI includes diagnoses, treatment records, payment information, and any data that could identify the individual — name, address, dates of service, Social Security number, and 16 other identifiers enumerated in the HIPAA Privacy Rule. De-identified information that cannot reasonably be used to identify an individual is not PHI and falls outside HIPAA's Privacy Rule protections.

Last updated: 2026-05-31Reviewed by: Dr. Jennifer Montecillo, MD — Gullas College of Medicine, 2019. Non-practicing medical reviewer.

How it’s used

CMS NPPES NPI Registry: NPPES bulk data is not PHI — provider names and business addresses are not patient information. Fonteum uses it to build provider profiles without handling patient data.

Frequently asked questions

What is PHI?: PHI (Protected Health Information) is individually identifiable health information — any data that could identify a patient combined with their health, treatment, or payment information.
What are examples of PHI?: PHI includes patient names, dates of service, geographic data below the state level, phone numbers, email addresses, Social Security numbers, medical record numbers, and diagnosis or treatment information.
Is de-identified data still PHI?: No. Data that has been de-identified using the HIPAA Safe Harbor or Expert Determination method is not considered PHI and falls outside the Privacy Rule.

Related terms

Authoritative sources

← All glossary terms

Methodology · Corrections log · Editorial policy

Healthcare Data GlossaryRegulatory

PHI: Definition and Healthcare Context

Full name: Protected Health Information

Last updated: 2026-05-31Reviewed by: Dr. Jennifer Montecillo, MD — Gullas College of Medicine, 2019. Non-practicing medical reviewer.

How it’s used

CMS NPPES NPI Registry: NPPES bulk data is not PHI — provider names and business addresses are not patient information. Fonteum uses it to build provider profiles without handling patient data.

Frequently asked questions

What is PHI?: PHI (Protected Health Information) is individually identifiable health information — any data that could identify a patient combined with their health, treatment, or payment information.
What are examples of PHI?: PHI includes patient names, dates of service, geographic data below the state level, phone numbers, email addresses, Social Security numbers, medical record numbers, and diagnosis or treatment information.
Is de-identified data still PHI?: No. Data that has been de-identified using the HIPAA Safe Harbor or Expert Determination method is not considered PHI and falls outside the Privacy Rule.

Related terms

Authoritative sources

← All glossary terms

Methodology · Corrections log · Editorial policy

PHI: Definition and Healthcare Context

How it’s used

Frequently asked questions

Related terms

Authoritative sources

Compliance posture

PHI: Definition and Healthcare Context

How it’s used

Frequently asked questions

Related terms

Authoritative sources

Compliance posture