DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
This article provides the definitions of key HIPAA terms, including:
1. Health information
2. Individually Identifiable Health Information (IIHI)
3. Health care
4. Healthcare provider
5. Protected Health Information (PHI)
6. Electronic Protected Health Information (ePHI)
Health Information:
Health information is any information, including genetic information, whether oral or recorded in any form or medium, that:
(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.
Individually Identifiable Health Information (IIHI):
Individually identifiable health information (IIHI) is information that is a subset of health information, including demographic information collected from an individual, and that:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual;
and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Please note that in March of 2024, HHS released guidance on the use of online tracking technologies by covered entities and business associates. The guidance does not change the definition of IIHI, but rather discusses what is considered to be IIHI in the context of online tracking technology use. The knowledge base article that covers the guidance can be found by clicking here.
Healthcare:
Healthcare means care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following:
(1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and
(2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
Healthcare provider:
Healthcare provider means a provider of services (as defined in section 1861(u) of the Social Security Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
Individuals receive healthcare from healthcare providers. Information that is created or received by the provider that relates to past, present, or future health condition or payment for healthcare, is health information. Individually identifiable health information is part of a subset of health information. In turn, protected health information is part of a subset of IIHI.
Protected Health Information:
Protected health information (PHI) is a subset of individually identifiable health information (IIHI) that is:
Transmitted by electronic media;
Maintained in electronic media; or
Transmitted or maintained in any other form or medium.
The HIPAA rules protect 18 specific types of individually identifiable health information that are transmitted by electronic media; maintained in electronic media; or transmitted or maintained in any other form or medium. These 18 types of information that are protected by HIPAA as “protected health information” include:
(A) Names;
(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full-face photographic images and any comparable images; and
(R) Any other unique identifying number or characteristic.
Whether a record or documemt contains protected health information (e.g., “Does this list of patient medical record numbers stored on its own, separate spreadsheet, constitute PHI if all it contains is the medical record numbers?” is often not a simple “yes” or “no” inquiry. The inquiry may depend on other facts, context, and whether the information may, alone or in combination with other information, allow for a reasonable basis to conclude the information can be used to identify an individual patient. A qualified healthcare attorny can assist with the inquiry.
Electronic Protected Health Information:
Electronic protected health information (ePHI) is PHI that is transmitted by electronic media; or maintained in electronic media.
What Information is Excluded from the Definition of PHI?
Protected health information excludes individually identifiable health information:
(i) In education records covered by the Family Educational Rights and Privacy Act (FERPA), as amended, 20 U.S.C. 1232g;
(ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
(iii) In employment records held by a covered entity in its role as employer; and
(iv) Regarding a person who has been deceased for more than 50 years.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article