What Is HIPAA Individually Identifiable Health Information (IIHI)? A Simple Definition with Examples

Definition of Individually Identifiable Health Information

Simple definition

Individually Identifiable Health Information (IIHI) is any health information—including demographic data—that relates to a person’s past, present, or future physical or mental health, the health care they receive, or payment for that care, and either identifies the person or could reasonably be used to identify them. IIHI can exist in any form: electronic, paper, or spoken.

What makes information “individually identifiable”

Information is identifiable when it directly names a person or contains details that, alone or combined, allow you to pick out who the person is. Under the HIPAA Privacy Rule, this concept anchors Health Information Privacy by defining when data about care, conditions, or bills points to a specific individual.

Key elements of IIHI

• Content: clinical facts, insurance details, billing data, or demographics tied to health care.
• Link to a person: direct identifiers (like name) or indirect traits that reasonably reveal identity.
• Context: created or received by a health care provider, health plan, employer, or others involved in care or payment—even before considering whether HIPAA applies to the holder.

Common Examples of IIHI

Everyday scenarios

• An electronic health record note that includes your name, medical record number, and diagnosis.
• A lab report with a specimen ID, date of birth, and test results.
• An insurance claim showing your policy number, provider, procedure code, and dates of service.
• A discharge summary that lists your address, admission and discharge dates, and medications.
• A pharmacy fill record linking your name and phone number to a prescription.
• A voicemail from a clinic referencing your upcoming appointment and condition.
• A care management spreadsheet that combines ZIP code, age, and rare condition—enough to single you out.
• Data from a device or app when it is collected for, or shared with, a Covered Entity or its Business Associate.

Identifiers that typically make data identifiable

• Names
• Geographic details smaller than a state (street, city, county, precinct, ZIP code, and similar codes)
• All elements of dates (except year) directly related to a person, and ages over 89 (aggregated as 90+)
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (fingerprints, voiceprints, etc.)
• Full-face photos and comparable images
• Any other unique identifying number, characteristic, or code

Relationship Between IIHI and PHI

How IIHI turns into PHI

Protected Health Information (PHI) is IIHI that is created, received, maintained, or transmitted by a Covered Entity (such as a health care provider, health plan, or clearinghouse) or a Business Associate acting on its behalf, in any form or medium. In short: IIHI + Covered Entity/Business Associate context = PHI, subject to specific exclusions.

Where IIHI is not PHI

If the same identifiable health details are held only by a consumer app or wearable company that is not a Covered Entity or Business Associate, HIPAA generally does not apply. The information remains “individually identifiable,” but it is not PHI under the HIPAA Privacy Rule.

Practical takeaway

All PHI is IIHI, but not all IIHI is PHI. Whether HIPAA protections attach depends on who holds the data and in what capacity.

Exclusions from HIPAA Protection

Data categories not protected as PHI

• De-identified information that meets HIPAA De-Identification standards.
• Education records covered by FERPA (including most student health records kept by schools).
• Employment records maintained by a Covered Entity in its role as employer (e.g., leave requests, workplace injury logs).
• Health information about a person deceased for more than 50 years.
• Health information held solely by entities that are neither Covered Entities nor Business Associates (many consumer apps, wearables, and websites), unless they act for a Covered Entity.

Why exclusions matter

Exclusions determine whether HIPAA’s Health Information Privacy rules apply. Even when HIPAA does not apply, other federal or state privacy laws or company policies may still govern the data.

Scope of the HIPAA Privacy Rule

Who must comply

• Covered Entity: health care providers that conduct standard electronic transactions, health plans, and health care clearinghouses.
• Business Associate: any vendor or partner that creates, receives, maintains, or transmits PHI for a Covered Entity (e.g., cloud services, billing companies, EHR vendors), including their subcontractors.

What the rule protects

• PHI in any form—electronic, paper, or oral—derived from Individually Identifiable Health Information.
• Core purposes: safeguard confidentiality, integrity, and availability of PHI while enabling care delivery and operations.

Key obligations and individual rights

• Permitted uses and disclosures: treatment, payment, and health care operations; disclosures with valid authorization; and limited public interest exceptions.
• Minimum necessary: use or disclose only the least PHI needed for the intended purpose.
• Individual rights: access and obtain copies, request amendments, request restrictions and confidential communications, receive a Notice of Privacy Practices, and obtain an accounting of certain disclosures.
• Administrative, physical, and technical safeguards; Business Associate Agreements; and breach notification duties.

De-Identified Health Information Standards

Two approved methods

• Safe Harbor: remove 18 direct identifiers and have no actual knowledge that the remaining data could identify a person.
• Expert Determination: a qualified expert applies accepted statistical or scientific methods to conclude that the re-identification risk is very small, and documents the analysis.

Limited Data Set (related but not fully de-identified)

A Limited Data Set excludes direct identifiers but may include elements like city, state, ZIP code, dates, and ages. It remains PHI and can be shared only for research, public health, or health care operations under a Data Use Agreement.

Re-identification codes and safeguards

Covered Entities or Business Associates may assign a code that allows re-identification, provided the code is not derived from known identifiers and the key is kept separate. Ongoing risk assessments, suppression of small cells, and access controls strengthen De-Identification in practice.

Conclusion

IIHI captures any health-related data that can identify a person. When IIHI is handled by a Covered Entity or Business Associate, it becomes PHI protected by the HIPAA Privacy Rule, unless an exclusion applies. Proper De-Identification enables data use while safeguarding Health Information Privacy.

FAQs.

What qualifies as individually identifiable health information under HIPAA?

IIHI is health information, including demographics, that relates to a person’s health, care, or payment and either directly identifies them or could reasonably be used to identify them, in any form (electronic, paper, or oral).

How does IIHI differ from PHI?

IIHI describes identifiable health data in general. PHI is IIHI specifically held or transmitted by a Covered Entity or its Business Associate, subject to exclusions such as FERPA education records, employment records, de-identified data, and information about individuals deceased for more than 50 years.

When is health information excluded from HIPAA protection?

HIPAA does not protect de-identified data, FERPA-covered education records, employment records kept by a Covered Entity in its employer role, information about individuals who have been deceased for over 50 years, and health data held only by entities that are not Covered Entities or Business Associates.

What are the requirements for de-identifying health information?

You must either remove the 18 specified identifiers and have no actual knowledge of re-identification risk (Safe Harbor) or obtain an expert’s documented determination that the risk of re-identification is very small (Expert Determination). Limited Data Sets are not fully de-identified and require a Data Use Agreement.