What Information the HIPAA Privacy Rule Protects: Practical Compliance Checklist

Overview of Individually Identifiable Health Information

Under the HIPAA Privacy Rule, protected health information (PHI) is a subset of individually identifiable health information that relates to an individual’s past, present, or future physical or mental health or condition, the provision of care, or payment for care. PHI includes data that identifies a person or could reasonably be used to identify them.

Use this quick test: if the information concerns health, care, or payment and contains identifiers (direct or indirect), you should treat it as PHI. Typical identifiers include names, full addresses, contact details, medical record and account numbers, device and license identifiers, biometric data, images, and any unique characteristic that could single someone out.

If the same data does not relate to health (for example, a name on a retail mailing list), it is not PHI. Context matters—ask whether the information is held or used by a covered entity or its business associate in a health-related context.

Coverage of Electronic, Paper, and Oral Records

The Privacy Rule is media-neutral. PHI receives the same protections whether it lives in an electronic system (ePHI), on paper forms, or is conveyed verbally. Emails, patient portals, EHRs, faxes, printed charts, voicemails, and intake conversations are all covered.

Transmission method does not change your obligations. Whether you store PHI in a cloud platform, send it by secure email, or discuss it over the phone, you must apply reasonable safeguards, access controls, and minimum necessary use principles to meet HIPAA compliance requirements.

Protection of Genetic Information

Genetic information is expressly treated as PHI. Genetic tests, family medical history, and participation in genetic services fall under genetic information protection, and health plans may not use genetic information for underwriting purposes.

Build policies that keep genetic data separate from any non-permitted use. Limit access to workforce members who need it for treatment, payment, or operations, and include genetic elements in your breach risk assessments and training scenarios.

Exclusions for Employment and Education Records

Employment records held by an employer in its role as employer are not PHI, even if they contain health information. For example, FMLA paperwork, workplace injury logs, and pre-employment drug test results maintained in HR files are outside HIPAA, though other laws may apply.

Most student education records are regulated by the Family Educational Rights and Privacy Act, not HIPAA. Health and treatment records maintained by a school or district for students are generally FERPA records; accordingly, HIPAA typically does not apply to those records.

Treatment of De-Identified Information

Data that has been properly de-identified is not PHI and may be used or disclosed without HIPAA restrictions. HIPAA recognizes two de-identified data standards: the Expert Determination method (a qualified expert attests the risk of re-identification is very small) and the Safe Harbor method (specified identifiers are removed and you have no actual knowledge of residual identification risk).

When full de-identification is not feasible, consider a limited data set under a data use agreement. Continue to evaluate re-identification risk when combining data sets, sharing for research, or releasing summaries that might indirectly identify individuals.

Compliance Responsibilities for Covered Entities

Covered entities—health care providers conducting standard transactions, health plans, and health care clearinghouses—must implement administrative, physical, and technical safeguards to protect PHI. Business associates that handle PHI on their behalf must contractually commit to parallel protections.

• Publish and distribute a clear Notice of Privacy Practices and honor individual rights (access, amendments, accounting of disclosures).
• Apply the minimum necessary standard to uses and disclosures not for treatment, and verify requestor identity before releasing PHI.
• Execute business associate agreements, maintain sanctions for violations, and document policies, procedures, and training.
• Conduct risk analyses, manage security incidents, and follow breach notification processes when PHI is compromised.

Practical Steps for Privacy Safeguards

• Map data flows: inventory where PHI originates, moves, and is stored across electronic, paper, and oral channels.
• Gate access: enforce role-based access, unique user IDs, and timely termination of accounts and physical keys.
• Secure endpoints: encrypt laptops and mobile devices, harden servers, and use secure messaging for PHI.
• Control paper: limit printing, lock shredding consoles, and verify fax numbers before sending.
• Train your workforce: use scenario-based training on minimum necessary, misdirected emails, verbal disclosures, and genetic data handling.
• Standardize disclosures: use authorization forms, verify identities, and maintain disclosure logs where required.
• Test and improve: run periodic audits, close gaps, and update your HIPAA compliance requirements as operations change.

Bottom line: define PHI accurately, respect exclusions, handle genetic information with heightened care, and apply consistent safeguards across every medium. Tight policies, routine training, and disciplined verification form the backbone of effective Privacy Rule compliance.

FAQs.

What types of health information does the HIPAA Privacy Rule protect?

The Rule protects PHI—individually identifiable health information related to a person’s health, care, or payment for care that can identify the individual. This includes demographic data and common identifiers like names, contact details, record numbers, images, and any unique characteristic linked to health context.

How does the Privacy Rule address genetic information?

Genetic information is PHI. The Rule provides genetic information protection by prohibiting health plans from using genetic information for underwriting and by requiring covered entities and their business associates to safeguard genetic data like any other PHI.

Are employment records covered under the HIPAA Privacy Rule?

No. Employment records maintained by an employer in its role as employer are not PHI, even if they contain health details. Other laws may govern those records, but HIPAA generally does not.

What is considered de-identified information under HIPAA?

Information is de-identified when it either meets Safe Harbor (specified identifiers are removed and you have no actual knowledge that the remaining data can identify someone) or an expert determines the re-identification risk is very small. Properly de-identified data is not subject to the Privacy Rule.