What Information is Protected by HIPAA?

by

HIPAA protects protected health information, which is individually identifiable health information created or received by a HIPAA Covered Entity or Business Associate and maintained or transmitted in any form, including paper, electronic, and oral communications, except for categories that are excluded by regulation.

Protected health information includes information that identifies an individual or can reasonably be used to identify an individual and that relates to the individual’s past, present, or future physical or mental health condition, the provision of healthcare to the individual, or payment for the provision of healthcare. Common examples include diagnoses, test results, treatment plans, medication lists, medical images, appointment details tied to a patient’s condition or care, clinical notes, insurance information, billing records, claims data, referral information, and care coordination communications when they contain identifiers linked to health or payment.

Identifiers that can make health information individually identifiable include names, addresses, dates directly related to an individual, telephone numbers, email addresses, Social Security numbers, medical record numbers, account numbers, health plan beneficiary numbers, device identifiers, biometric identifiers, full-face photographs, and unique identifying codes. Protected health information can also exist in metadata and operational records such as message logs, call records, portal activity, and scheduling systems when those records link an individual to care, payment, or a health condition.

HIPAA does not treat all health-related information as protected health information. Education records covered by the Family Educational Rights and Privacy Act and employment records held by an employer in its role as an employer are excluded from protected health information under HIPAA. Information that meets HIPAA de-identification standards is not protected health information because it no longer identifies an individual within the HIPAA standard for de-identification.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA