Protected health information is individually identifiable health information that is created or received by a HIPAA covered entity or business associate and relates to a person’s health condition, health care, or payment for health care, and examples include clinical information, billing information, and related identifiers when the information identifies the person or can be used to identify the person.
Clinical records commonly contain protected health information. Diagnoses, problem lists, histories and physicals, allergy lists, medication lists, laboratory results, imaging reports, pathology reports, operative notes, discharge summaries, and care plans are protected health information when they are linked to an identifiable individual. Photographs stored in the medical record can be protected health information when they identify the individual or are associated with the individual’s care.
Administrative and financial records also contain protected health information when they relate to treatment or payment and identify the individual. Appointment schedules, referral records, authorizations, eligibility responses, claims, explanation of benefits materials, remittance advice, account balances, and payment histories are protected health information when tied to an identifiable patient. Communications about care such as voicemail messages, emails, portal messages, and recorded calls can be protected health information when they include identifiable patient information and relate to health care or payment.
Identifiers become protected health information when they are maintained with health, treatment, or payment information in a record set or system used by a covered entity or business associate. Examples include a patient name linked to a diagnosis, a medical record number tied to lab results, a date of birth included on a claim, a patient address associated with a treatment plan, a telephone number stored in a care coordination record, an email address used for patient portal access tied to clinical content, and a photograph associated with a medical record number.
Protected health information can exist in electronic, paper, and oral form. A printed discharge instruction sheet, a faxed referral with identifying information, a spoken discussion of an identifiable patient’s condition, and an electronic spreadsheet used for care management can each be protected health information depending on content and context.
Certain data are outside protected health information. De-identified information is not protected health information. Employment records held by a covered entity in its role as employer are not protected health information. Education records covered by the Family Educational Rights and Privacy Act are not protected health information. Information about a person who has been deceased for more than 50 years is not protected health information under the HIPAA Privacy Rule.