DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses when an individual's personal health information becomes protected health information under HIPAA.
Who and What Does HIPAA Regulate?
HIPAA regulates covered entities and business associates in their creation, maintenance, receipt, transmission, use, disclosure, and access to and of protected health information.
What is Individually Identifiable Health Information (IIHI)?
Individually identifiable health information (IIHI) is information that is a subset of health information, including demographic information collected from an individual, and that:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual;
and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
To qualify as IIHI, information must be health-related. The information must relate to past, present, or future physical or mental health of a specific person, or relate to the provision of healthcare to a specific person, or to future payment or provision of healthcare to someone.
To meet the definition of IIHI, information must identify someone. Or, there must be a reasonable basis to believe that information can be used to identify someone, along with other data. To constitute IIHI, information must also be "created or received by a healthcare provider."
What is Protected Health Information (PHI)?
PHI is a subset of IIHI. That means for information to constitute PHI, the information must be "created or received by a healthcare provider." To qualify as PHI, IIHI must also be:
(i) Transmitted by electronic media;
(ii) Maintained in electronic media; or
(iii) Transmitted or maintained in any other form or medium.
Do Consumers or Prospective Patients Create PHI?
Is a consumer or would-be patient looking for a doctor, by sending health information to that doctor, acting as "a healthcare provider who is creating information?" Or "as a healthcare provider who is receiving information"? No. The consumer or would-be patient is acting as a consumer or would-be patient - as individual sending that information TO a healthcare provider, who is simultaneously receiving it.
So, a consumer looking for a provider, or would-be patient looking for a provider, who transmits health information for the first time to a doctor's office, is not sending IIHI, and is therefore not sending PHI. Once a healthcare provider that engages in one or more HIPAA-covered transactions (that is, a covered entity) receives the information, the healthcare provider is at that point obligated to protect the information, in accordance with the HIPAA regulations. Covered entities are obligated by HIPAA to protect the PHI of individuals. An individual is defined by HIPAA as a "person who is the subject of protected health information."
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article