HIPAA defines protected health information as individually identifiable health information that is created or received by a health plan, a health care clearinghouse, or a health care provider that transmits health information in electronic form in connection with covered transactions, and that is transmitted or maintained in any form or medium, excluding certain records such as education records covered by FERPA and employment records held by a covered entity in its role as an employer. Individually identifiable health information includes information that relates to an individual’s past, present, or future physical or mental health condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, when the information identifies the individual or there is a reasonable basis to believe it can be used to identify the individual.
Protected health information can exist in paper records, electronic systems, images, audio, video, and oral communications. Examples include medical records, diagnoses, treatment plans, test results, appointment information, insurance enrollment and eligibility data, claims and billing records, payment histories, and care coordination communications, when tied to a person and handled by a regulated entity or its business associate. The definition applies to information held by business associates when they create, receive, maintain, or transmit protected health information on behalf of a covered entity.
Identifiers that can render health information individually identifiable include a patient name, address elements, dates linked to an individual, telephone numbers, email addresses, account or member numbers, medical record numbers, device identifiers, full-face photographs, biometric identifiers, and unique codes that permit identification. A record may be protected health information even when it lacks a name if the remaining data elements can identify the individual. Protected health information can also include information about a deceased individual when the information meets the definition and is held by a covered entity or business associate.
Health information that has been de-identified in accordance with HIPAA de-identification standards is not protected health information. Limited data sets used for research, public health, or health care operations remain regulated and require a data use agreement, even though they omit direct identifiers, because the information remains health information that can present re-identification risk. The protected health information definition drives when the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, and HIPAA Minimum Necessary Rule obligations apply to use, disclosure, safeguarding, and incident response activities.