The HIPAA Privacy Rule directly applies to covered entities—i.e., health plans, healthcare clearinghouses, and healthcare providers—and is concerned with the protection of individually identifiable health information.1 This consists of information that (a) identifies the individual (or for which there is a reasonable basis to believe it can be used to identify the individual) and (b) relates to (i) the individual’s past, present or future physical or mental health or condition; (ii) the provision of healthcare to the individual; or (iii) the past, present, or future payment for the provision of healthcare to the individual.2
Such information, in any form or media, held or transmitted by a covered entity or its business associate is known as protected health information (PHI).3 PHI includes many common identifiers (e.g., name, address, birthdate, and Social Security Number) when they can be associated with the individual. Because the Privacy Rule only covers PHI to the extent it is identifiable, the Privacy Rule does not govern health information that has been properly de-identified (as defined in the Rule itself).
Additionally, the Privacy Rule excludes from the definition of PHI health information maintained in employment records in a covered entity’s capacity as an employer and education records subject to the Family Educational Rights and Privacy Act.4
1 45 CFR § 160.103.