Protected health information under HIPAA is individually identifiable health information that relates to a person’s past, present, or future physical or mental health or condition, the provision of healthcare to the person, or payment for that care, and that is created, received, maintained, or transmitted by a HIPAA Covered Entity or Business Associate in any form or medium.
The definition ties protection to both content and context. Health information becomes protected health information when it identifies the individual or could reasonably be used to identify the individual, and when a regulated entity holds or transmits it as part of regulated activities. The same clinical fact can fall outside protected health information when it is held by a party that is not a covered entity or business associate, or when it is held in a category excluded from the definition.
Individually identifiable health information includes demographic and administrative details linked to care or payment, such as names, addresses, dates associated with care, medical record numbers, insurance identifiers, diagnosis and treatment information, prescription information, test results, imaging, care plans, clinical notes, billing statements, claims data, and communications about an individual’s care. Protected health information includes oral communications, paper records, and electronic data. A spoken conversation at a nursing station can contain protected health information. A printed appointment list can contain protected health information. A screenshot of a patient portal can contain protected health information.
Identifiers make health information individually identifiable. The HIPAA Privacy Rule de-identification safe harbor list is commonly used as an operational reference for identifiers that can link information to an individual, including names, geographic subdivisions smaller than a state in many contexts, elements of dates directly related to an individual, telephone numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate or license numbers, vehicle identifiers, device identifiers and serial numbers, URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number, characteristic, or code. Organizations often treat combinations of data elements as identifying even when a single element might not identify a person by itself, such as a rare diagnosis combined with a small location and a service date.
Protected health information includes more than clinical documentation. Communications such as appointment reminders, referral coordination, billing inquiries, and care management messages can contain protected health information when they identify the patient and relate to care or payment. A message that confirms an appointment for a named patient at a specialist office can become protected health information if it links the person to healthcare services. A payment ledger tied to a patient name and services can become protected health information. Even when a message contains limited detail, the association with care or payment can bring it within the definition.
The HIPAA Privacy Rule also defines what is not protected health information. Education records covered by the Family Educational Rights and Privacy Act are excluded. Employment records held by a covered entity in its role as employer are excluded, even when those records contain health related information such as medical leave documentation kept in the employment file. Information regarding a person who has been deceased for more than 50 years is excluded. These exclusions affect how regulated organizations classify information that sits in human resources systems, student records systems, and archival records.
De-identified data is not protected health information. The HIPAA Privacy Rule recognizes de-identification when there is no reasonable basis to believe the information can identify the individual. Organizations use either an expert determination method or a safe harbor method that removes the specified identifiers and applies the required conditions. Data that does not meet de-identification standards remains protected health information if a covered entity or business associate holds it. A limited data set is still protected health information because it can include some identifiers such as dates and certain geographic information, and it carries use and disclosure conditions.
The definition also depends on who holds the information. A health plan’s eligibility and claims files can contain protected health information. A healthcare provider’s clinical and billing systems can contain protected health information. A vendor that hosts an electronic health record environment, processes claims, provides records fulfillment, or supports IT operations with access to regulated systems can become a business associate that maintains protected health information on behalf of a covered entity.
Classification decisions drive operational controls. When information meets the definition, the HIPAA Privacy Rule limits uses and disclosures, and the HIPAA Security Rule requires safeguards for electronic protected health information. Organizations apply access controls, identity verification, workforce authorization rules, auditing, retention controls, and secure disposal procedures based on whether the data is protected health information and how it flows across systems and third parties.