Missouri State University

Skip search and site index

Office of Sponsored Research and Programs 

Protected Health Information

The Privacy Rule and Protected Health Information

When health information is individually identifiable and is held by a covered entity, it is likely to be PHI. In contrast, the HHS Protection of Human Subjects Regulations describe “private information” as including information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). Under the HHS Protection of Human Subjects Regulations, private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects unless data are obtained through intervention or interaction with the individual.

Protected health information (PHI) under HIPAA means individually identifiable health information. Identifiable refers not only to data that is explicitly linked to a particular individual (that's identified information). It also includes health information with data items which reasonably could be expected to allow individual identification.

De-indentified information is that from which all potentially identifying information has been removed. (HIPAA also has a provision for a limited data set, from which most but not all potentially identifying information has been removed.)

Note that the definition of PHI excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act. It also excludes employment records held by a covered entity in its role as employer.

Protected Health Information (HIPAA)

HIPAA regulations define health information as "any information, whether oral or recorded in any form or medium" that;

  • "[i]s created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse"; and
  • "[r]elates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual."

It is worth emphasizing that while HIPAA's primary privacy concern is health information transmitted by or maintained in electronic media, the Privacy Rule also reaches to data "[t]ransmitted or maintained in any other form or medium" by covered entities. That includes paper records, fax documents and all oral communications.

In contrast, HIPAA's Security, Identifier, and Transaction and Code Set rules only cover electronic information (see, e.g., discussion of Security Rule applicability).

Protected health information (PHI) under HIPAA means individually identifiable health information. Identifiable refers not only to data that is explicitly linked to a particular individual (that's identified information). It also includes health information with data items which reasonably could be expected to allow individual identification.

De-indentified information is that from which all potentially identifying information has been removed. (HIPAA also has a provision for a limited data set, from which most but not all potentially identifying information has been removed.)

Note that the definition of PHI excludes individually identifiable health information in education records covered by the FamilyEducational Right and Privacy Act. It also excludes employment records held by a covered entity in its role as employer.

See also: (PDF documents)

Courtesy of the U. of Miami School of Medicine HIPAA Training.

Important:

If you don't have Adobe Reader, you may download and install  Adobe Acrobat Reader free software to view the documents in PDF.