HIPAA Definition: What Is Individually Identifiable Health Information (IIHI)?

Overview of Individually Identifiable Health Information

Plain-language definition

Individually Identifiable Health Information (IIHI) is any health-related data that can identify you—or could reasonably be used to identify you—such as your name with a lab result, a claim tied to your address, or imaging linked to your medical record number. When IIHI is created, received, maintained, or transmitted by a HIPAA covered entity or its business associate, it becomes Protected Health Information (PHI) subject to the HIPAA Privacy Rule.

IIHI, PHI, and de-identified data

IIHI is the broader concept; PHI is IIHI held by regulated organizations. De-identified data, by contrast, has been processed to remove or obscure identifiers under HIPAA’s Data De-identification Standards, so it is no longer PHI. Understanding how IIHI transforms into PHI—and how data can be de-identified—is foundational to privacy compliance, confidentiality safeguards, and health information portability.

Who handles IIHI

Covered entities include health care providers conducting standard electronic transactions, health plans, and health care clearinghouses. Business associates are vendors or partners that handle PHI on their behalf. These organizations must meet strict requirements before collecting, storing, or sharing IIHI.

Criteria for IIHI under HIPAA

Core elements

• Source and context: The information is created or received by a provider, plan, employer, or clearinghouse, or by a business associate acting for them.
• Subject matter: It relates to your past, present, or future physical or mental health or condition; the provision of health care to you; or payment for that care.
• Identifiability: It either directly identifies you or there is a reasonable basis to believe it can be used to identify you.

Key exclusions

• De-identified information meeting HIPAA’s standards.
• Employment records held by a covered entity in its capacity as an employer.
• Education records protected by FERPA and certain records on students.

Whether a dataset is IIHI often depends on context. A diagnosis code alone may not identify you, but paired with a rare procedure and small geographic area, it can.

Types of Protected Health Information

Common categories of PHI

• Direct identifiers: names, contact details, and unique numbers.
• Demographic and quasi-identifiers: dates, locations, and characteristics that can combine to identify you.
• Clinical content: notes, images, lab results, prescriptions, and diagnostic codes.
• Administrative and financial data: claims, remittances, and account records.
• Biometric, genetic, and device data: fingerprints, sequencing results, device serials, and telemetry.

HIPAA’s 18 direct identifiers (Safe Harbor)

• Names
• Geographic subdivisions smaller than a state (street, city, county, ZIP code, and similar geocodes), with limited ZIP exceptions
• All elements of dates (except year) related to an individual; ages 90+ must be aggregated
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (e.g., finger and voice prints)
• Full-face photographs and comparable images
• Any other unique identifying number, characteristic, or code

Importance of IIHI in Privacy Compliance

Correctly classifying IIHI enables you to apply the HIPAA Privacy Rule and Security Rule precisely, meeting minimum necessary standards and preventing over-collection. It also guides when Patient Authorization Requirements apply and when disclosures are permitted for treatment, payment, and health care operations without authorization.

Accurate handling of IIHI builds trust, reduces breach risk, and supports health information portability—your ability to obtain, use, and direct your health records across providers and apps. It also underpins analytics programs by signaling when Data De-identification Standards must be used to remove identifiers or create a limited data set.

Regulatory Requirements for Handling IIHI

HIPAA Privacy Rule

• Use and disclosure: Allowed for treatment, payment, and health care operations (TPO) and for certain public policy purposes; other uses require patient authorization.
• Minimum necessary: Limit uses/disclosures/requests to the least amount needed, except for treatment and certain other scenarios.
• Patient rights: Access, amendment, accounting of disclosures, restrictions, and confidential communications.
• Notices and documentation: Provide a Notice of Privacy Practices and maintain policies, procedures, and workforce training.

Security Rule (ePHI)

• Administrative safeguards: Risk analysis, risk management, sanctions, workforce training, and contingency plans.
• Physical safeguards: Facility access controls, device/media controls, and workstation security.
• Technical safeguards: Access controls, authentication, audit controls, transmission security (e.g., encryption), and integrity protections.

Patient Authorization Requirements

• Authorization is generally required for uses beyond TPO—such as most marketing, sale of PHI, and disclosures of psychotherapy notes.
• Valid authorization must describe the information, purpose, recipient, expiration, and revocation rights.

Breach Notification Rule

• Presumption of breach for any impermissible use or disclosure of unsecured PHI unless a low probability of compromise is demonstrated via a documented risk assessment.
• Notifications to affected individuals (and, when applicable, regulators and media) without unreasonable delay and within prescribed timelines.

Business associates and contracts

Before sharing IIHI/PHI with vendors, covered entities must execute a Business Associate Agreement that sets permitted uses, safeguards, and breach reporting obligations.

Risk Assessment and Safeguards for IIHI

Risk assessment essentials

• Inventory data: Map where IIHI and ePHI are collected, stored, processed, and transmitted.
• Classify sensitivity: Distinguish direct identifiers, quasi-identifiers, and clinical content.
• Analyze threats: Evaluate likelihood and impact across people, processes, and technology.
• Document findings: Record risks, owners, and remediation plans; review periodically and upon major changes.

Confidentiality safeguards in practice

• Access controls: Role-based access, strong authentication, least privilege, and session timeouts.
• Encryption: Protect ePHI at rest and in transit; manage keys securely.
• Data lifecycle: Retention limits, secure disposal, and data minimization.
• Monitoring: Audit logs, anomaly detection, and data loss prevention for exfiltration risks.
• Vendor oversight: Due diligence, Business Associate Agreements, and continuous monitoring.
• De-identification: Apply Safe Harbor or Expert Determination when sharing for research or operations without PHI.
• Incident response: Prepare, detect, contain, investigate, notify, and learn from events.

Impact of IIHI on Patient Rights

Your rights under the HIPAA Privacy Rule

• Access and copies: Receive access to PHI within set timelines, including electronic copies where maintained electronically.
• Directed sharing and portability: Direct a covered entity to send a copy to a third party, enabling practical health information portability.
• Amendment: Request corrections to inaccurate or incomplete records.
• Restrictions: Ask to limit certain disclosures; providers must honor restrictions to a health plan for services paid out-of-pocket in full.
• Confidential communications: Request alternative contact methods or locations.
• Accounting of disclosures: Obtain a record of certain non-routine disclosures.
• Complaints: File concerns with the provider/plan or with regulators without retaliation.

Conclusion

IIHI is the linchpin of HIPAA compliance. By recognizing when health data is identifiable, applying the HIPAA Privacy Rule and Security Rule, honoring Patient Authorization Requirements, and using strong confidentiality safeguards, organizations protect individuals while enabling responsible data use and portability.

FAQs

What constitutes individually identifiable health information under HIPAA?

IIHI is health-related information that identifies you—or could reasonably be used to identify you—and that relates to your health status, care, or payment for care. Examples include a lab result with your name, a claim tied to your address, or imaging linked to your medical record number. When a covered entity or its business associate holds IIHI, it is PHI and subject to HIPAA protections.

How does HIPAA define protected health information?

Protected Health Information (PHI) is IIHI that is created, received, maintained, or transmitted by a covered entity or business associate in any form or medium. PHI excludes properly de-identified data, certain employment records, and education records under FERPA.

What are the privacy safeguards for IIHI?

Safeguards span administrative, physical, and technical controls: risk analysis and training; facility and device protections; and access controls, authentication, audit logging, and encryption. The HIPAA Privacy Rule adds minimum necessary limits and Patient Authorization Requirements, while the Security Rule focuses on protecting ePHI. De-identification reduces risk when sharing data for research or operations.

What are the consequences of mishandling IIHI?

Consequences can include mandatory notifications under the Breach Notification Rule, corrective action plans, civil monetary penalties, contractual liability, reputational damage, and—in egregious cases—criminal penalties. Robust risk assessments, confidentiality safeguards, and workforce training are essential to reduce exposure.