The HIPAA Privacy Rule protects all "individually identifiable health information" held or transmitted by a healthcare provider in any form or media, whether electronic, paper, or oral.2 The Privacy Rule calls this information protected health information (PHI).
PHI is information (including demographic data) that relates to:
- An individual's past, present or future physical or mental health or condition
- The provision of health care to the individual
- The past, present, or future payment for the provision of health care to the individual
All identifiers that can be used to identify an individual are protected. This includes many common identifiers (eg, name, address, birth date, Social Security Number).
2. Office for Civil Rights (OCR). “Summary of the HIPAA Privacy Rule.” HHS.gov, US Department of Health and Human Services, 26 July 2013,www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. Accessed July 05, 2021.