HIPAA Definition of Individually Identifiable Health Information (IIHI): What’s Included and What Isn’t

If you handle health data, understanding the HIPAA definition of Individually Identifiable Health Information (IIHI) is foundational. This guide clarifies what qualifies as IIHI, how it becomes Protected Health Information (PHI), what falls outside PHI, how de-identification works, and the practical steps you must take to comply under the Health Information Privacy Rule.

Definition of Individually Identifiable Health Information

Individually Identifiable Health Information (IIHI) is a subset of health information—including demographic details—that relates to an individual’s past, present, or future physical or mental health, the provision of care, or payment for care, and either directly identifies the person or could reasonably be used to identify them. IIHI can exist in any form: electronic, paper, or oral.

Key criteria

• Content: clinical facts, billing data, demographics, and other details linked to health, care, or payment.
• Identifiability: either explicitly names the individual or contains elements reasonably enabling identification.
• Origin: commonly created or received by a health care provider, health plan, employer, school, or clearinghouse.

Practical examples

• A lab result with a patient’s name or medical record number.
• An insurance claim with subscriber ID and dates of service.
• A discharge summary listing diagnosis, birth date, and address.

Scope of Health Information

“Health information” under HIPAA is broad. It covers any information about health status, care delivery, or payment generated or received by organizations such as providers, health plans, employers, public health authorities, schools, or universities. The scope includes EHR data, images, claims, care management notes, call recordings, and even voicemails.

IIHI vs. health information vs. PHI

• Health information: any health-related data, identifiable or not.
• IIHI: the identifiable portion of health information linked to a person.
• PHI: IIHI when it is created, received, maintained, or transmitted by a Covered Entity or its Business Associate.

Protected Health Information Explained

Protected Health Information (PHI) is IIHI maintained or transmitted by a Covered Entity (health plan, most health care providers, or a health care clearinghouse) or by a Business Associate acting for such an entity. PHI includes paper records, spoken information, and electronic PHI (ePHI). Under the Health Information Privacy Rule, PHI may generally be used or disclosed for treatment, payment, and health care operations without authorization, subject to the minimum necessary standard for payment and operations.

Essential implications

• PHI status depends on who holds the information and for what purpose—not just the content.
• Limited Data Sets are still PHI and require a Data Use Agreement, even though certain direct identifiers are removed.
• Consumer-generated health data held by an app that is not a Covered Entity or Business Associate may be IIHI but is not PHI unless handled on behalf of a Covered Entity.

Exclusions from PHI

Some information, even if health-related or identifiable, is excluded from PHI under HIPAA.

• Education records and certain student treatment records protected by the Family Educational Rights and Privacy Act (FERPA).
• Employment records held by a Covered Entity in its role as employer (for example, workplace injury logs or leave requests).
• De-identified information meeting HIPAA’s De-Identification Standards.
• Records of individuals deceased for more than 50 years.
• Health information held solely by entities that are neither Covered Entities nor Business Associates (unless they are acting on behalf of a Covered Entity).

De-Identification of Health Information

HIPAA provides two De-Identification Standards. Once IIHI is properly de-identified, it is no longer PHI and may be used or shared outside HIPAA, provided no re-identification occurs.

1) Safe Harbor method (remove 18 identifiers)

Remove all of the following and have no actual knowledge that the remaining data could identify the person:

• Names
• All geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code; limited three-digit ZIP allowed under specific conditions)
• All elements of dates (except year) related to an individual; ages over 89 aggregated into “90 or older”
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and license plates
• Device identifiers and serial numbers
• Web URLs
• IP address numbers
• Biometric identifiers (for example, finger or voice prints)
• Full-face photographs and comparable images
• Any other unique identifying number, characteristic, or code (except a permitted re-identification code stored separately)

2) Expert Determination method

A qualified expert applies accepted statistical or scientific principles to determine the risk of re-identification is very small, documents the methods and results, and sets controls to maintain that low risk as data uses evolve.

Limited Data Set (LDS)

An LDS removes specified direct identifiers but may retain elements like dates and general geography (city, state, ZIP). It remains PHI and requires a Data Use Agreement detailing permitted uses, safeguards, and no re-identification.

Compliance Requirements Under HIPAA

If you are a Covered Entity or Business Associate, you must implement administrative, physical, and technical safeguards; honor individual rights; and manage vendors and data flows consistent with the Health Information Privacy Rule and Security Rule.

Core obligations

• Determine your role: Covered Entity, Business Associate, or both; document Business Associate Agreements.
• Apply the minimum necessary standard for payment and operations; allow appropriate access for treatment.
• Publish and follow a Notice of Privacy Practices; support access, amendment, and accounting of disclosures.
• Conduct risk analyses; implement role-based access, encryption, auditing, and incident response for ePHI.
• Train your workforce; maintain policies, sanctions, and records retention.
• Use Data Use Agreements for Limited Data Sets; manage re-identification codes separately and securely.
• Perform breach notification when required; evaluate state laws that may impose stricter protections.

Conclusion

In short, IIHI is identifiable health-related data; it becomes PHI when handled by a Covered Entity or Business Associate. Know what’s excluded, apply HIPAA’s De-Identification Standards when appropriate, and operationalize the Privacy and Security Rules to protect individuals while enabling responsible data use.

FAQs.

What constitutes individually identifiable health information under HIPAA?

IIHI is health-related information, including demographics, that relates to a person’s condition, care, or payment and either identifies them or could reasonably be used to identify them, regardless of whether it is electronic, paper, or oral.

How does HIPAA define protected health information?

PHI is IIHI maintained or transmitted by a Covered Entity or its Business Associate. It spans all formats and is governed by the Health Information Privacy Rule, which sets rules for uses, disclosures, and individual rights.

What types of information are excluded from PHI?

Education records protected by the Family Educational Rights and Privacy Act (including certain student treatment records), employment records held by an employer, properly de-identified data, records of individuals deceased for more than 50 years, and health information held solely by entities that are not Covered Entities or Business Associates.

How does de-identification affect HIPAA compliance?

Once data meet HIPAA’s de-identification standard—either via Safe Harbor (removal of 18 identifiers) or Expert Determination—it is no longer PHI under HIPAA. However, you must prevent re-identification and remember that Limited Data Sets remain PHI and require a Data Use Agreement.