Protected health information is individually identifiable health information that is created, received, maintained, or transmitted by a HIPAA Covered Entity or Business Associate in any form or medium, that relates to an individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for health care, and that identifies the individual or can reasonably be used to identify the individual, with specified exclusions for certain records and for information that has been de-identified in accordance with HIPAA standards.
Protected health information includes information held by health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions, and it includes the same types of information when handled by a Business Associate performing functions or services for or on behalf of a HIPAA Covered Entity. The form of the information does not change its status as protected health information. Paper records, electronic records, images, audio recordings, and verbal communications can contain protected health information when the content meets the definition.
Identifiability is determined by the presence of direct identifiers or by a reasonable basis to believe the information can be used to identify an individual. Identifiers include names, geographic subdivisions smaller than a state in many contexts, elements of dates tied to an individual such as date of birth, telephone numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate or license numbers, device identifiers and serial numbers, biometric identifiers, full-face photographs, and other unique identifying characteristics or codes. Clinical details also qualify when linked to an individual, including diagnoses, laboratory results, imaging reports, medication lists, appointment information, treatment plans, and billing and remittance information.
Certain information is excluded from the definition of protected health information even when it relates to an individual. Education records covered by the Family Educational Rights and Privacy Act and employment records held by a HIPAA Covered Entity in its role as employer are excluded. Information regarding a person who has been deceased for more than 50 years is excluded under the HIPAA Privacy Rule. De-identified information is not protected health information when identifiers have been removed and the de-identification conditions are met under HIPAA standards.
Electronic protected health information is protected health information that is maintained in or transmitted by electronic media, and it is subject to the administrative, physical, and technical safeguard requirements of the HIPAA Security Rule. Protected health information in any form remains subject to the use and disclosure requirements and individual rights provisions of the HIPAA Privacy Rule, including limitations on impermissible uses and disclosures and requirements to provide access to an individual’s records in designated record sets when applicable.
HIPAA Staff Training Relating to Protected Health Information
HIPAA staff training supports protected health information controls by teaching workforce members how to recognize protected health information and apply role-specific handling requirements under the HIPAA Privacy Rule and HIPAA Security Rule during routine clinical, administrative, billing, and technical workflows. Training is required for workforce members who handle protected health information, and it is typically delivered during onboarding and repeated as refresher training on an organizational schedule, with annual refreshers commonly used as an operational standard. Training content is expected to address permissible uses and disclosures, access controls, authentication and device use practices for electronic protected health information, workstation and paper record handling, secure communications, and incident identification and reporting. Training also needs to align with the organization’s policies and procedures, since HIPAA training does not replace internal procedures that vary by function, location, and risk analysis results.