Individually identifiable health information transmitted or maintained in any form that relates to an individual's health condition, healthcare provision, or payment for healthcare.
Protected Health Information (PHI) is the cornerstone concept of HIPAA. PHI is defined as individually identifiable health information that is transmitted by or maintained in electronic media, or any other form or medium. For information to qualify as PHI, it must meet three criteria: it must relate to an individual's past, present, or future physical or mental health condition, the provision of healthcare to the individual, or the payment for such healthcare; it must identify or provide a reasonable basis to identify the individual; and it must be held or transmitted by a covered entity or business associate. PHI exists in all forms including electronic (ePHI), paper records, and oral communications.
HIPAA defines 18 specific identifiers that make health information individually identifiable: names; geographic data smaller than a state; dates (except year) directly related to an individual; phone numbers; fax numbers; email addresses; Social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate or license numbers; vehicle identifiers and serial numbers; device identifiers and serial numbers; web URLs; IP addresses; biometric identifiers; full-face photographs and comparable images; and any other unique identifying number, characteristic, or code. When any of these identifiers are combined with health information, the data becomes PHI and is subject to HIPAA protections.
Not all health-related information is PHI. Health information that has been de-identified by removing all 18 identifiers (or through expert determination) is no longer PHI and is not subject to HIPAA. Employment records held by a covered entity in its role as employer are excluded. Education records covered by the Family Educational Rights and Privacy Act (FERPA) are excluded. Health information held by entities that are not covered entities or business associates is not subject to HIPAA (though other privacy laws may apply). Additionally, health information about a person who has been deceased for more than 50 years is no longer considered PHI. Understanding what qualifies as PHI is essential for determining when HIPAA obligations apply.