Protected Health Information is individually identifiable information, in any form or medium, that relates to an individual’s past, present, or future physical or mental health condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care, and that is created, received, maintained, or transmitted by a HIPAA Covered Entity or Business Associate.
Definition of Protected Health Information
Protected Health Information includes health information that identifies a specific person or that can reasonably be used to identify a person. The identifier can be direct, such as a name, or indirect, such as a combination of demographic and encounter details that allows identification. Protected Health Information includes information in paper records, verbal communications, and electronic systems. Electronic Protected Health Information is Protected Health Information that is created, received, maintained, or transmitted in electronic form and is subject to the administrative, physical, and technical safeguard requirements of the HIPAA Security Rule.
When Information Becomes PHI
Health information becomes Protected Health Information when it is linked to an individual and handled by a HIPAA Covered Entity or Business Associate in a regulated function. A clinical narrative, lab result, imaging report, appointment record, billing statement, eligibility response, claims data, care management note, and patient portal message are Protected Health Information when they contain identifying elements or can be tied to an individual through associated records. A standalone data element may be non-identifying in isolation, but the same element can become identifying when combined with other available information in the organization’s environment.
Common Data Elements That Make Information Identifiable
Identifiers include personal names, geographic details smaller than a state in many use cases, dates that are linked to an individual, contact information, account and membership numbers, device and online identifiers, biometric identifiers, full-face photographs, and any unique code or characteristic that permits identification. Identification can also occur through uncommon diagnoses, rare procedures, or unique care events when paired with location or timing information. The determination hinges on whether the information identifies the person or provides a reasonable basis to identify the person.
Information That Is Not PHI
Information is not Protected Health Information when it has been de-identified using a method recognized under the HIPAA Privacy Rule, so that identification is not reasonably possible under the applicable standard. A limited data set is not de-identified and remains Protected Health Information even though certain direct identifiers are removed, and its use and disclosure require a data use agreement and compliance controls. Certain records are excluded from the HIPAA Privacy Rule definition of Protected Health Information, including education records covered by the Family Educational Rights and Privacy Act and employment records held by a HIPAA Covered Entity in its role as an employer.
Operational Implications For Covered Entities and Business Associates
Organizations treat Protected Health Information as regulated information across its lifecycle, including creation, access, use, disclosure, storage, transmission, and disposal. The HIPAA Privacy Rule governs permissible uses and disclosures and individual rights, including access, amendment, and accounting of disclosures where applicable. The HIPAA Minimum Necessary Rule applies to uses, disclosures, and requests for Protected Health Information, with defined exceptions such as disclosures for treatment and certain disclosures to the individual. The HIPAA Security Rule applies to electronic Protected Health Information and requires an accurate and thorough risk analysis, risk management measures, workforce access controls, audit controls, integrity protections, and transmission security aligned to the organization’s environment. The HIPAA Breach Notification Rule governs notification duties when there is an impermissible use or disclosure of unsecured Protected Health Information that is not demonstrated to pose a low probability of compromise under the required assessment.