PHI is at the very core of the Health Insurance Portability and Accountability Act (HIPAA). The underlying purpose of HIPAA is to ensure that the personally identifiable information in a patient’s health record is kept private and protected. In order to be considered PHI that is regulated under HIPAA, it must be:
- Personally identifiable to the patient
- Used or disclosed to or by a covered entity before, during, or after the course of care
The definition of health information is any information—verbal or recorded—in any form or medium that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
The definition of personally identifiable health information includes demographic information collected from an individual, and created or received by a health care provider, health plan, employer, or health care clearinghouse; and that identifies the individual or relates to the individual’s past, present, or future physical or mental health or condition.
Protected health information is individually identifiable health information transmitted or maintained in electronic media (aka ePHI) or any other form or medium. It excludes individually identifiable health information in education or employment records. Any information that has been de-identified—or stripped of all individually identifiable health information and that does not identify or allude to an individual’s identity—is no longer considered PHI.