Protected health information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. The core of the HIPAA regulations is to ensure that ownership of any and all medical data is retained solely by the individual. Only an individual has the right to grant access to their medical data. The first three digits of the zip code are usually considered ok for use except in the case of certain zip codes that cover a small population (less than 20,000)”]
Source: https://datica.com/blog/what-is-protected-health-information-phi