45 CFR § 164.501: HIPAA Privacy Rule Definitions Explained in Plain English

Section 164.501 supplies the core definitions that drive how the HIPAA Privacy Rule works in day-to-day practice. This guide translates those terms into plain English so you can recognize Protected Health Information (PHI), understand who may handle it, and apply PHI Disclosure Standards confidently.

As you read, use these definitions to align documentation, data flows, and vendor contracts, and to support Covered Entity Compliance without slowing down patient care.

Protected Health Information Definitions

What HIPAA means by “PHI”

Protected Health Information is individually identifiable health information that a covered entity or its business associate creates, receives, maintains, or transmits in any form (paper, verbal, or electronic). It relates to a person’s past, present, or future health status, the care they receive, or the payment for that care—and either directly identifies the person or could reasonably identify them.

What is not PHI

• De-identified data that meets HIPAA’s de-identification methodologies.
• Education records covered by FERPA.
• Employment records held by a covered entity in its role as employer.

Common identifiers that make health information “individually identifiable”

• Name
• Geographic details smaller than a state (for example, street address, city, county, and ZIP code)
• All elements of dates (except year) related to a person, plus ages over 89 (aggregated as 90+)
• Telephone and fax numbers
• Email addresses
• Social Security numbers
• Medical record and health plan beneficiary numbers
• Account and certificate/license numbers
• Vehicle and device identifiers/serial numbers
• Web URLs and IP addresses
• Biometric identifiers (for example, fingerprints, voiceprints)
• Full-face photographs and comparable images
• Any other unique identifying number, characteristic, or code

Designated record set (why it matters)

HIPAA uses “designated record set” to define the records you must be ready to provide to individuals on request. It includes, for example, a provider’s medical and billing records and a health plan’s enrollment, claims, and case management records—plus any other records used to make decisions about the individual.

Everyday examples

• A clinic note, lab order, or radiology image tied to a patient
• Billing statements, explanations of benefits, and prior authorization files
• Patient portal messages and call center recordings linked to a patient
• Device serial numbers or license plates when they can identify a specific patient

Covered Entity Classifications

Covered entities are the organizations primarily accountable for HIPAA Privacy Rule compliance. Accurately identifying them is foundational to Covered Entity Compliance.

Health plans

Insurers, HMOs, Medicare, Medicaid, employer-sponsored group health plans, and similar payers. They hold enrollment, claims, payment, and case management data.

Health care clearinghouses

Intermediaries that translate nonstandard health information into HIPAA-standard formats (and vice versa) for claims and related transactions.

Health care providers (that conduct standard electronic transactions)

Any provider—such as physicians, hospitals, therapists, dentists, pharmacists, labs—who transmits health information electronically in connection with standard transactions (for example, claims, eligibility checks, remittance advice).

Special structures you may encounter

• Hybrid entities that designate health care components subject to HIPAA while separating non-health operations.
• Affiliated covered entities and organized health care arrangements that coordinate certain Privacy Rule activities.

Business Associate Roles

A business associate (BA) performs functions or services for a covered entity that involve PHI—think claims processing, cloud hosting, data analytics, e-prescribing gateways, or legal, actuarial, and consulting services.

Typical services that make a vendor a BA

• IT hosting, EHR and data backup vendors that store or process PHI
• Billing services, clearinghouses, and collection agencies
• Quality measurement, population health analytics, and utilization review
• Third-party administrators and certain pharmacy benefit functions

Core responsibilities

• Use or disclose PHI only as permitted by the Business Associate Agreement (BAA) and the Privacy Rule.
• Implement administrative, physical, and technical safeguards; maintain HIPAA policies and training.
• Report breaches and security incidents; flow down the same duties to subcontractors.
• Make records available for compliance review and assist covered entities with individual rights requests when required.

Who is not a BA

• A covered entity’s workforce members (they are internal, not vendors).
• “Conduits” that merely transmit data without routine access (for example, certain postal or telecom carriers).

Treatment and Payment Clarifications

164.501 defines two cornerstones—treatment and payment—that support care coordination and reimbursement. This is the heart of most Treatment Payment Clarification questions.

Treatment

The provision, coordination, or management of health care and related services among providers or by a provider with a third party. It includes consultations, referrals, and sharing relevant PHI to manage a patient’s care.

Payment

Activities by a health plan or provider to obtain or provide reimbursement, such as eligibility and coverage determinations, claims submission and adjudication, medical necessity review, preauthorization, billing, and collections.

Do you need patient authorization?

Generally, authorization is not required for uses and disclosures of PHI for treatment, payment, or health care operations (often called “TPO”), subject to applicable PHI Disclosure Standards and any stricter state laws.

Health Care Operations Explained

Health care operations are the behind-the-scenes activities that keep an organization effective, safe, and compliant. Think of them as your Health Care Operations Procedures playbook.

Core operations activities

• Quality assessment and improvement, outcomes evaluation, and patient safety initiatives
• Case management and care coordination not classified as treatment, and population-based activities
• Reviewing provider competence, credentialing, and staff training (including clinical education)
• Accreditation, certification, licensing, auditing, fraud and abuse detection, and compliance
• Underwriting and premium rating for health plans, and business planning and development
• Business management and general administrative tasks, such as legal services and customer service

Sharing PHI for operations

Covered entities may share PHI for their own operations and, in limited cases, with another covered entity that has a relationship with the individual when the purpose is a joint activity like quality improvement or compliance.

Key guardrails

• Apply the Minimum Necessary Rule to operations uses and disclosures.
• Avoid impermissible marketing or sale of PHI; obtain authorization when required.
• Use Business Associate Agreements when outside partners help perform operations tasks.

Minimum Necessary Standard

The Minimum Necessary Standard requires you to use, disclose, and request only the PHI reasonably necessary to accomplish a specific purpose. It is central to the Minimum Necessary Rule and to practical privacy-by-design.

What it requires in practice

• Role-based access so staff see only what their duties require.
• Standardized request templates that limit routine disclosures.
• Data minimization in reports and dashboards (for example, masking, partial fields).

Common exceptions

• Disclosures to or requests by a provider for treatment
• Disclosures to the individual or made pursuant to a valid authorization
• Disclosures required by law or to HHS for compliance investigations

Reasonable reliance shortcut

When appropriate, you may reasonably rely on another covered entity, a business associate, or a public official to request only what is minimally necessary for their stated purpose.

De-identified and Limited Data Sets

HIPAA allows broader sharing of data that is stripped of identifiers. Two pathways support analytics, research, and public health while protecting privacy: de-identification and the limited data set, each with distinct De-identification Methodologies.

De-identification (two methodologies)

• Expert determination: A qualified expert applies generally accepted methods and documents that the risk of re-identification is very small.
• Safe harbor: Remove these 18 identifiers and keep no actual knowledge that remaining data could identify a person:
  • Names
  • Geographic subdivisions smaller than a state (for example, street address, city, county, ZIP)
  • All elements of dates (except year) related to an individual; ages over 89 aggregated as 90+
  • Telephone and fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record and health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plates
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (for example, fingerprints, voiceprints)
  • Full-face photos and comparable images
  • Any other unique identifying number, characteristic, or code

Limited data set (LDS)

An LDS removes direct identifiers (such as names, street addresses, contact numbers, SSNs, MRNs, full-face photos, URLs, IPs, device/vehicle IDs, and biometrics) but may include dates and broader geography (city, state, ZIP). It can be used and disclosed for research, public health, and health care operations with a Data Use Agreement.

Data Use Agreement essentials

• Permitted purposes and authorized recipients
• Safeguards and breach reporting duties
• No re-identification or contact with individuals
• Flow-down of restrictions to agents and subcontractors

Re-identification codes

You may assign a code to de-identified data to re-link later, so long as the code is not derived from personal information and the key is kept separately and securely.

Key takeaways

• Use de-identified data when possible to remove Privacy Rule constraints entirely.
• When detail is needed, an LDS plus a solid Data Use Agreement balances utility with privacy.

FAQs

What information qualifies as Protected Health Information under 45 CFR 164.501?

PHI is individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate that relates to a person’s health, care, or payment for care. If it can identify the person—directly or reasonably—it is PHI, unless it is de-identified under HIPAA, an education record under FERPA, or an employment record held by an employer.

How is a Covered Entity defined by HIPAA?

Covered entities include health plans, health care clearinghouses, and health care providers who conduct HIPAA-standard electronic transactions (for example, claims or eligibility checks). Correctly recognizing these categories is essential for Covered Entity Compliance.

What responsibilities do Business Associates have under the HIPAA Privacy Rule?

Business associates must use and disclose PHI only as permitted by their Business Associate Agreements, safeguard PHI with appropriate controls, report breaches, ensure subcontractors follow the same rules, and cooperate with compliance reviews. They are directly liable for violations related to their handling of PHI.

What does the Minimum Necessary standard require for PHI disclosures?

It requires limiting uses, disclosures, and requests to the least PHI reasonably needed for the purpose, with role-based access, standardized request scopes, and data minimization. It does not apply to treatment, disclosures to the individual, uses with a valid authorization, disclosures required by law, or disclosures to HHS for compliance review.