protected health information (HIPAA)
regulations define health information as "any information,
or recorded in any form or medium" that
- "[i]s created
or received by a health care provider, health plan, public
health authority, employer, life insurer, school or university,
or health care clearinghouse"; and
to the past, present, or future physical or mental health
or condition of an individual; the provision of health care
to an individual; or the past, present, or future payment
for the provision of health care to an individual."
It is worth emphasizing
that while HIPAA's primary privacy concern is health information
exchanged or stored electronically, the Privacy
Rule also reaches to data "[t]ransmitted or maintained
in any other form or medium." That includes paper records,
fax documents and oral
In contrast, HIPAA's
and Code Set rules only cover electronic information.
For details on what is and is not "electronic" see
the discussion of Security
information (PHI) under HIPAA includes any individually
identifiable health information. Identifiable refers
not only to data that is explicitly linked to a particular
individual (that's identified information). It also
includes health information with data items which reasonably
could be expected to allow individual identification.
information is that from which all potentially identifying
information has been removed. (HIPAA also has a provision
for a limited data set,
from which most but not all potentially identifying information
has been removed.)
Note that the definition
of PHI excludes individually identifiable health information
in education records
covered by the Family Educational Rights and Privacy Act.
It also excludes
held by a covered entity in its role as employer.