Protected health information (PHI) is any combination of factors that can be used to identify a patient. It includes information about the patient’s physical/mental health condition, payment for services provided, and their care team. It can take any format, including verbal, written, and email communications. PHI is not just limited to the medical record itself. 


PHI Identifiers

  • Names
  • Address information smaller than a state, including street address, city, county, and zip codes, including their equivalent geocodes (except for the initial three digits of a zip code if according to the current publicly available data from the Bureau of Census,
    • the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people and
    • the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000)
    • the initial three digits of any zip code within the State of Iowa are all greater than 20,000 people
  • All elements of dates (except year), including date of birth, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical Record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/License numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) addresses
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code


If you need to de-identify patient information, refer to policy De-Identification of Protected Health Information (PHI) P.22.