which of the following is an example of protected health information
Protected health information (PHI) is any individually identifiable health information about a person’s health, care, or payment for care that can be linked to them, when held or transmitted by a HIPAA‑covered entity or its business associate. In practice, PHI is created or used in the course of providing healthcare services such as diagnosis, treatment, or billing.
What counts as PHI?
Under HIPAA, PHI must meet both of these conditions:
- It relates to an individual’s past, present, or future physical or mental health, the provision of healthcare, or payment for healthcare.
- It is individually identifiable (it either directly identifies the person or there is a reasonable basis to believe it can be used to identify them).
This includes PHI in any form: electronic, paper, or oral.
Common identifiers that make data PHI
Regulators and compliance frameworks describe 18 key identifiers that, when linked with health information, make the data PHI. Examples include:
- Name
- Geographic information smaller than a state (e.g., street address, city, ZIP code)
- All elements of dates directly related to an individual (e.g., birth date, admission date, discharge date)
- Phone and fax numbers
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary or insurance number
- Account numbers (e.g., billing account)
- Certificate or license numbers (e.g., driver’s license)
- Vehicle and device identifiers and serial numbers
- Web URLs and IP addresses when tied to health data
- Biometric identifiers (fingerprints, voiceprints, retinal scans)
- Full‑face photographs and comparable images
- Any other unique identifying number, characteristic, or code
If these identifiers are removed or sufficiently de‑identified using HIPAA standards, the remaining data may no longer qualify as PHI.
Examples of PHI vs non‑PHI
Here’s an HTML table showing realistic examples of what would and would not be PHI in typical multiple‑choice question scenarios:
html
<table>
<thead>
<tr>
<th>Scenario</th>
<th>PHI?</th>
<th>Why</th>
</tr>
</thead>
<tbody>
<tr>
<td>A hospital record stating “John Smith, born 4/12/1980, was treated for pneumonia on 9/10/2025.”</td>
<td>Yes</td>
<td>Includes a name, date of birth, and treatment information held by a covered entity, so it is individually identifiable health information.</td>
</tr>
<tr>
<td>An insurance bill showing a patient’s name, policy number, and procedure code for a knee surgery.</td>
<td>Yes</td>
<td>Links identity (name, policy number) to payment and treatment data, which is PHI.</td>
</tr>
<tr>
<td>Clinic phone message: “Call back Maria at 555‑123‑4567 regarding her lab results.”</td>
<td>Yes</td>
<td>Contains a phone number plus an implied connection to health services (lab results), making it PHI.</td>
</tr>
<tr>
<td>A de‑identified dataset: “50‑year‑old male with diabetes; no name, contact info, or specific dates.”</td>
<td>No (if properly de‑identified)</td>
<td>Describes health conditions but lacks direct or reasonably re‑identifiable identifiers under HIPAA safe harbor.</td>
</tr>
<tr>
<td>Hospital cafeteria sales report showing how many sandwiches were sold each day.</td>
<td>No</td>
<td>Contains no health information or patient identifiers.</td>
</tr>
</tbody>
</table>
How exam questions usually frame it
In typical quiz or exam formats asking “which of the following is an example of protected health information,” the correct option is usually something like:
- “A patient’s name and medical record number on a lab report”
- “A billing statement with a patient’s name and diagnosis code”
- “An email that includes a patient’s full name and details about their upcoming surgery”
Options that include health details without any way to identify a person, or information with no health context (like purely financial data not tied to care) are usually not PHI under HIPAA.
Bottom note: Information gathered from public forums or data available on the internet and portrayed here.