Protected Health Information (PHI) is individually identifiable health information that a covered entity or business associate creates, receives, maintains, or transmits — in any form whatsoever. That breadth is the point: PHI includes the obvious clinical content but also video and audio of a consultation, chat transcripts, appointment metadata, server logs, and IP addresses, all of which can tie health data to a person. The definition lives at 45 CFR §160.103.
What makes information "identifiable" is captured by the eighteen HIPAA identifiers — names, geographic detail, all dates tied to an individual, phone and account numbers, device identifiers, IP addresses, biometric data, full-face photos, and more. Remove those identifiers properly and the data can fall outside PHI through de-identification; leave even one in, and a dataset you assumed was anonymous is still regulated. This is why "we only log technical metadata" is rarely the safe-harbor argument teams hope it is.
For a telemedicine product team, PHI is the unit of risk in every architecture decision. The questions that matter are concrete: where does PHI flow, where does it come to rest, which humans and which vendors touch it, and therefore which vendors need a Business Associate Agreement (BAA). A common and costly pitfall is forgetting the non-obvious carriers — session recordings, analytics events, crash logs, AI transcription, customer-support tooling — each of which can quietly accumulate PHI. Map the PHI inventory explicitly and keep it current, because you cannot protect data whose existence and location you have not tracked.
