Defining Individually Identifiable Health Information Under HIPAA

Definition of Individually Identifiable Health Information

Under the HIPAA Privacy Rule, Individually Identifiable Health Information (IIHI) is any health-related information that relates to your past, present, or future health, the provision of health care, or payment for care, and that identifies you or could reasonably be used to identify you. It can exist in electronic, paper, or oral form.

What it covers

• Past, present, or future physical or mental health or condition.
• Provision of health care to you.
• Past, present, or future payment for your health care.

IIHI includes demographic details such as address, dates, and contact points. It may be created or received by a health care provider, health plan, employer, or health care clearinghouse. It becomes Protected Health Information (PHI) when handled by Covered Entities or their Business Associates.

Covered Entities Under HIPAA

Covered Entities are the organizations directly regulated by HIPAA. They include health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with standardized transactions.

• Health plans: insurers, HMOs, Medicare, Medicaid, and most employer-sponsored group health plans.
• Health care providers: clinicians, hospitals, and others who conduct HIPAA-standard electronic transactions.
• Health care clearinghouses: entities that process nonstandard information into standard formats and vice versa.

Business Associates

Business Associates are vendors or partners that create, receive, maintain, or transmit PHI for a Covered Entity. They are directly accountable under HIPAA and must enter into Business Associate Agreements.

• Examples: billing services, EHR and practice management vendors, cloud storage providers, claims processors, analytics firms, and telehealth platforms.

Protected Health Information Characteristics

Protected Health Information (PHI) is IIHI created, received, maintained, or transmitted by a Covered Entity or Business Associate. PHI spans electronic PHI (ePHI), paper records, and spoken information.

Key characteristics

• Governed by the HIPAA Privacy Rule’s permitted uses and disclosures and the “minimum necessary” standard.
• Individuals have rights to access, obtain copies, request amendments, receive an accounting of disclosures, and request restrictions or confidential communications.
• Electronic PHI must be safeguarded under the HIPAA Security Rule with administrative, physical, and technical controls.

When IIHI is not PHI

IIHI held outside the HIPAA context—such as by a consumer health app that is not a Business Associate—may still identify you but is not PHI. Other laws may apply, but HIPAA would not.

Exclusions from Protected Health Information

Some information falls outside PHI and therefore outside HIPAA protections. Recognizing these exclusions helps you determine which rules apply.

• De-identified data that meet HIPAA De-Identification Standards.
• Family Educational Rights and Privacy Act exclusions: education records and treatment records covered by FERPA.
• Employment records held by a Covered Entity in its role as employer (for example, FMLA notes or drug-test results kept in HR files).
• Information about a person who has been deceased for more than 50 years.
• Health information created, received, or maintained solely by entities that are not Covered Entities or Business Associates.

De-Identification of Health Information

HIPAA provides two De-Identification Standards that render data no longer PHI: Safe Harbor and Expert Determination. Each path aims to minimize re-identification risk while preserving data utility.

Safe Harbor method: remove these identifiers

• Names.
• All geographic subdivisions smaller than a state, including street address, city, county, precinct, and ZIP code (except the first three digits may be kept when the combined area has at least 20,000 people; otherwise replace with 000).
• All elements of dates (except year) directly related to an individual, including birth, admission, discharge, and death dates; ages over 89 must be combined into a single “90 or older” category.
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate/license numbers.
• Vehicle identifiers and serial numbers, including license plate numbers.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric identifiers (for example, finger and voice prints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code (with limited re-identification code exceptions).

Expert Determination method

A qualified expert applies accepted techniques to determine that the risk of re-identification is very small. The expert documents the methods and results and recommends controls to maintain that low risk over time.

Re-identification codes and Limited Data Set

You may assign a code that allows re-linking de-identified data if the code is not derived from information about the individual and the key is stored separately. A Limited Data Set removes direct identifiers but remains PHI; it can be used for research, public health, or health care operations under a Data Use Agreement.

Examples of Identifiable Health Information

• An electronic health record note containing your name, medical record number, and diagnosis.
• A laboratory report with specimen ID, collection timestamp, and the ordering provider tied to your account.
• A health plan Explanation of Benefits showing member ID, dates of service, and treatment codes.
• A prescription label listing your name, address, and prescription number.
• Clinical images that display your full face or distinctive tattoos.
• Location traces from a wearable linked to your patient portal account along with symptom logs supplied to a provider.
• Discharge paperwork with admission and discharge dates linked to you and your facility.

Relevance of Individually Identifiable Information to Research

For research, whether data are Individually Identifiable Health Information determines the need for consent and oversight. If PHI is involved, you typically need individual authorization or an Institutional Review Board/Privacy Board waiver.

• De-identified data are not PHI and may be used without authorization, subject to ethical and contractual commitments.
• A Limited Data Set may be used for research under a Data Use Agreement that restricts recipients, purposes, and re-disclosure.
• Preparatory-to-research reviews allow you to examine PHI on-site to design a study without removing PHI from the Covered Entity.
• Research solely on decedents’ information is permitted with appropriate representations; records older than 50 years are not PHI.
• The minimum necessary standard applies: access only the least amount of PHI needed for your research purpose.

Conclusion

Understanding how HIPAA defines Individually Identifiable Health Information, who qualifies as a Covered Entity or Business Associate, and how De-Identification Standards operate helps you use data responsibly. Apply the Privacy Rule, remove identifiers when feasible, and choose the right pathway—authorization, waiver, Limited Data Set, or de-identified data—to advance research while protecting privacy.

FAQs.

What constitutes individually identifiable health information under HIPAA?

It is any health-related information that relates to your health, care, or payment for care and that identifies you or could reasonably identify you. It includes demographic details and can exist in electronic, paper, or oral form.

How does HIPAA define protected health information?

Protected Health Information (PHI) is Individually Identifiable Health Information created, received, maintained, or transmitted by a Covered Entity or its Business Associate in any form or medium. PHI is governed by the HIPAA Privacy Rule and, for electronic PHI, the Security Rule.

What information is excluded from PHI protections?

Exclusions include de-identified data meeting HIPAA standards, education and treatment records covered by the Family Educational Rights and Privacy Act, employment records held by a Covered Entity in its role as employer, information about individuals deceased for more than 50 years, and health information maintained solely by non–Covered Entities or non–Business Associates.

How is health information de-identified under HIPAA?

HIPAA allows two methods: Safe Harbor (remove 18 specified identifiers and have no actual knowledge that remaining data could identify someone) and Expert Determination (a qualified expert documents that the risk of re-identification is very small and specifies safeguards). De-identified data are not PHI.