Individually identifiable health information is health information, including demographic information, that relates to an individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
The definition covers information created or received by a health care provider, health plan, employer, or health care clearinghouse when the content is tied to health status, care, or payment and the person can be identified directly or indirectly. Identification can occur through a direct identifier such as a name, address, dates linked to an individual, telephone number, email address, Social Security Number, medical record number, health plan beneficiary number, account number, certificate or license number, vehicle identifiers, device identifiers, biometric identifiers, photographs, or other unique codes that permit identification. Identification can also occur when a data element can be combined with other available information to single out a person.
Individually identifiable health information is not limited to clinical records. Scheduling entries, billing and remittance documentation, prior authorization records, eligibility verification files, referral information, and communications about symptoms, diagnoses, medications, test results, or treatment plans can meet the definition when linked to an identifiable person.
Individually identifiable health information is the foundation for protected health information under the HIPAA Privacy Rule, but not every instance of individually identifiable health information is regulated as protected health information. The HIPAA Privacy Rule applies to covered entities and, through business associate agreements and the HIPAA Security Rule, to business associates that create, receive, maintain, or transmit protected health information on behalf of a covered entity. Individually identifiable health information held by an employer in employment records in its role as employer is excluded from protected health information, even when the information is health-related.
Information that has been de-identified under the HIPAA Privacy Rule is not individually identifiable health information for HIPAA compliance purposes because the identifiers have been removed or an expert determination supports that the risk of identification is sufficiently low. Once de-identified, the information is not treated as protected health information under HIPAA and is not subject to HIPAA Privacy Rule use and disclosure restrictions or HIPAA Security Rule safeguards for protected health information.