protected health information (HIPAA)

HIPAA regulations define health information as "any information, whether oral or recorded in any form or medium" that

  • "[i]s created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse"; and
  • "[r]elates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual."

It is worth emphasizing that while HIPAA's primary privacy concern is health information exchanged or stored electronically, the Privacy Rule also reaches to data "[t]ransmitted or maintained in any other form or medium." That includes paper records, fax documents and oral communications.

In contrast, HIPAA's Security, Identifier, and Transaction and Code Set rules only cover electronic information. For details on what is and is not "electronic" see the discussion of Security Rule applicability.

Protected health information (PHI) under HIPAA includes any individually identifiable health information. Identifiable refers not only to data that is explicitly linked to a particular individual (that's identified information). It also includes health information with data items which reasonably could be expected to allow individual identification.

De-indentified information is that from which all potentially identifying information has been removed. (HIPAA also has a provision for a limited data set, from which most but not all potentially identifying information has been removed.)

Note that the definition of PHI excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act. It also excludes employment records held by a covered entity in its role as employer.

See also:


   © 2002-2006 Contributing authors and University of Miami School of Medicine