DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article provides the definitions of key HIPAA terms, including:
1. Health information
2. Individually Identifiable Health Information (IIHI)
3. Health care
4. Healthcare provider
Having knowledge of these terms enables one to understand the definitions of protected health information (PHI) and electronic protected health information (ePHI).
What is Health Information?
Health information is any information, including genetic information, whether oral or recorded in any form or medium, that:
(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.
What is Individually Identifiable Health Information?
Individually identifiable health information (IIHI) is information that is a subset of health information, including demographic information collected from an individual, and that:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual;
and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
What is Health Care?
Health care means care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following:
(1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and
(2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
What is a Healthcare Provider?
"Healthcare provider" means a provider of services, a provider of medical or other health services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
Putting it All Together....
Individuals receive health care from healthcare providers. Information that is created or received by the provider that relates to past, present, or future health condition or payment for healthcare, is health information. Individually identifiable health information is part of a subset of health information. In turn, protected health information is part of a subset of individually identifiable health information.
What is Protected Health Information?
HIPAA requires covered entities and business associates to safeguard protected health information (PHI).
Protected health information includes all individually identifiable health information, including demographic data, medical histories, test results, insurance information, and other information used to identify a patient or provide healthcare services or healthcare coverage. ‘Protected’ means the information is protected under HIPAA. For IIHI to qualify as PHI, the IIHI must be:
Transmitted by electronic media;
Maintained in electronic media; or
Transmitted or maintained in any other form or medium.
Whether a record or documemt contains protected health information (e.g., “Does this list of patient medical record numbers stored on its own, separate spreadsheet, constitute PHI if all it contains is the medical record numbers?”) is often not a simple “yes” or “no” inquiry. The inquiry may depend on other facts, context, and whether the information may, alone or in combination with other information, allow for a reasonable basis to conclude the information can be used to identify an individual patient. A qualified healthcare attorney can assist with the inquiry.
What is Electronic Protected Health Information?
Electronic protected health information (ePHI) is PHI that is transmitted by electronic media; or maintained in electronic media.
What Information is Excluded from the Definition of PHI?
Protected health information excludes individually identifiable health information:
(i) In education records covered by the Family Educational Rights and Privacy Act (FERPA), as amended, 20 U.S.C. 1232g;
(ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
(iii) In employment records held by a covered entity in its role as employer; and
(iv) Regarding a person who has been deceased for more than 50 years.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article