What Records Does HIPAA Protect? A Record‑Type and Source‑System Guide

Protected Health Information Types

Protected Health Information (PHI) is individually identifiable health information tied to a person’s past, present, or future physical or mental health, care delivered, or payment for that care. HIPAA protects this data in any form—paper, verbal, or electronic (ePHI)—to uphold Health Information Privacy.

Clinical and Care Delivery Records

• Encounter notes, problem lists, care plans, orders, referrals, and discharge summaries.
• Vitals, labs, pathology, radiology reports, diagnostic images, and procedure documentation.
• Medication histories, immunizations, allergies, and treatment adherence data.
• Behavioral health, substance use, reproductive health, genomic and genetic testing information.

Administrative, Financial, and Insurance Records

• Registration demographics, eligibility checks, authorizations, and scheduling details.
• Claims (e.g., X12 837/835), explanation of benefits, billing statements, and remittance advice.
• Case management, utilization review, quality metrics tied to individuals.

Patient Communications and Engagement

• Portal messages, secure chat threads, appointment reminders, and telehealth audio/video.
• Call recordings, IVR logs, and correspondence that reference identifiable health details.

Device, Sensor, and Derived Data

• Wearables, home monitors, implantables, and medical device telemetry tied to an individual.
• Metadata such as audit logs, access events, and system traces when linked to a patient.
• Analytics extracts, care-gap lists, and risk scores when re-identifiable to a person.

What HIPAA Does Not Cover

• De-identified data meeting Data De-identification Standards (Safe Harbor or expert determination).
• Education records under FERPA and employment records held by a covered entity in its role as employer.
• Aggregated statistics that cannot be tied back to an individual.

HIPAA Identifier Categories

HIPAA Identifiers are the signals that make health information identifiable. Removing or protecting these is central to Health Information Privacy.

The 18 HIPAA Identifiers

• Names.
• Geographic subdivisions smaller than a state (street address, city, county, precinct, and ZIP code—see ZIP rule below).
• All elements of dates (except year) related to an individual (e.g., birth, admission, discharge, death) and ages over 89 unless aggregated as 90+.
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate/license numbers.
• Vehicle identifiers and serial numbers, including license plates.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric identifiers (fingerprints, voiceprints, retinal/iris scans).
• Full-face photos and comparable images.
• Any other unique identifying number, characteristic, or code.

Direct vs. Quasi-Identifiers and ZIP Rule

• Direct identifiers (e.g., name, SSN) reveal identity on their own; quasi-identifiers (e.g., dates, ZIP) can identify in combination.
• ZIP codes: under Safe Harbor, remove the 3-digit ZIP prefix when its geographic unit has fewer than 20,000 people; otherwise use 000.

Record Mediums and Formats

HIPAA is format-agnostic: if information is PHI, it is protected regardless of medium or file type. Effective Healthcare Data Security accounts for every medium where PHI may reside.

Physical and Analog

• Paper charts, printed results, consent forms, and mailed statements.
• Film (e.g., legacy radiology), patient wristbands, and physical media (USB, CDs).

Electronic and Digital

• Structured data (EHR tables, registries) and unstructured data (free text, PDFs, images).
• Clinical standards: HL7 v2 messages, FHIR JSON/XML, CDA/CCD documents.
• Imaging: DICOM, JPEG/PNG derivatives; diagnostics: waveform files.
• Revenue cycle: X12 EDI (837/835/270/271); administration: CSV extracts and spreadsheets.
• Operational artifacts: backups, snapshots, caches, queues, and log files tied to individuals.

Communications and Media

• Email, secure messaging, voice recordings/voicemails, SMS (when permitted and secured), and telehealth recordings where applicable.

Source Systems of PHI

Understanding PHI Source Systems helps you inventory where HIPAA-protected records live and how they flow.

Clinical Systems

• Electronic Health Records (EHR/EMR), ePrescribing, Computerized Provider Order Entry.
• Laboratory (LIS), Radiology (RIS), Picture Archiving and Communication Systems (PACS).
• Perioperative, oncology, behavioral health, rehabilitation, and care management platforms.

Administrative and Financial

• Practice management, eligibility/benefit verification, authorizations, and referrals.
• Claims processing, clearinghouses, payment posting, and denial management.

Pharmacy and Therapeutics

• Pharmacy information systems, eMAR, medication dispensing cabinets, and PBMs.

Devices and Connected Health

• Medical devices, implantables, home monitors, wearables, and remote patient monitoring hubs.

Patient-Facing and Communications

• Patient portals, personal health records, mobile health apps, contact centers, and CRM tools.

Data and Analytics

• Enterprise data warehouses, data lakes, quality registries, and population health platforms.
• Testing and training environments seeded with production PHI (should be avoided or masked).

Support and Back-Office

• IT service desks, ticketing systems, document management, HR systems with employee-patient overlap.

HIPAA Compliance Requirements

Regulatory Compliance Requirements arise primarily from the Privacy Rule, Security Rule, and Breach Notification Rule, with HITECH strengthening enforcement and digital safeguards.

Privacy Rule: Use, Disclosure, and Individual Rights

• Permitted uses/disclosures for treatment, payment, and healthcare operations (TPO); others require authorization.
• Minimum Necessary standard for non-TPO uses; role-based access aligned to job duties.
• Notice of Privacy Practices, right of access, amendment, accounting of disclosures, and restrictions/confidential communications.

Security Rule: ePHI Safeguards

• Risk analysis and risk management program covering administrative, physical, and technical safeguards.
• Access controls, authentication, audit logs, integrity controls, and transmission security.
• Contingency planning: data backup, disaster recovery, and emergency mode operations.

Breach Notification Rule

• Assess incidents for PHI compromise; document low-probability-of-compromise analyses.
• Notify affected individuals, HHS, and in some cases the media within required timeframes.

Business Associates and Agreements

• Execute Business Associate Agreements defining permitted uses, safeguards, and breach duties.
• Flow down requirements to subcontractors handling PHI.

Data De-identification Standards

• Safe Harbor: remove the 18 HIPAA Identifiers and ensure no actual knowledge of identifiability.
• Expert Determination: a qualified expert documents that re-identification risk is very small with appropriate controls.

Documentation and Governance

• Maintain policies, procedures, risk assessments, training, and sanction policies; retain documentation for at least six years.
• Establish data stewardship, privacy oversight, and continuous compliance monitoring.

Data Privacy and Security Measures

Strong Healthcare Data Security blends governance, technology, and behavior to protect PHI end to end.

Access and Governance

• Role-based access control, least privilege, and multi-factor authentication for all remote and privileged access.
• Data classification and asset inventory tied to PHI Source Systems.

Protection of Data at Rest and in Transit

• Encryption at rest (e.g., FIPS-validated modules) and in transit (TLS 1.2+), with sound key management.
• Tokenization or pseudonymization for internal analytics; hashing for identifiers where appropriate.

Monitoring and Resilience

• Centralized logging, audit trail review, SIEM use cases, and alerting on anomalous access.
• Regular vulnerability management, patching, configuration baselines, and penetration testing.
• Resilient backups (immutable, offsite), tested restores, and ransomware playbooks.

Application and Endpoint Security

• Secure SDLC, threat modeling, code review, and API security for FHIR/HL7 integrations.
• Endpoint protection, mobile device management, screen lock/timeout, and device encryption.

Workforce and Third Parties

• Onboarding/annual privacy and security training; phishing simulations; clear acceptable-use policies.
• Vendor due diligence, BAAs, least-privilege access for support, and ongoing assurance reporting.

Handling and Transmission Protocols

Data Lifecycle Practices

• Collect only what you need; apply the Minimum Necessary standard at capture and disclosure.
• Label and track PHI; segregate sensitive datasets; avoid using real PHI in testing.
• Follow retention schedules and defensible deletion; sanitize media before reuse or disposal.

Secure Transmission and Interoperability

• Use TLS for web portals and APIs; S/MIME or equivalent for email containing PHI.
• Use SFTP, HTTPS, or AS2 for file transfers; avoid plain FTP/unencrypted channels.
• Protect HL7 v2 (e.g., over TLS or VPN); secure FHIR with OAuth 2.0/OpenID Connect and scoped access.

Messaging, Telehealth, and Remote Work

• Prefer secure messaging platforms with access controls, auditing, and retention management.
• Configure telehealth solutions to store only necessary recordings and encrypt by default.
• Require VPN for administrative access; enforce MDM policies on mobile devices.

Incident Response and Escalation

• Detect, contain, and investigate suspected PHI incidents quickly; preserve logs and evidence.
• Conduct risk-of-compromise assessments and execute breach notifications when required.

Conclusion

HIPAA protects any record that links identifiable details to a person’s health, regardless of format or location. Map your PHI Source Systems, control the HIPAA Identifiers, follow Regulatory Compliance Requirements, and implement rigorous technical and administrative safeguards. Consistent governance across the data lifecycle is the most reliable way to sustain Health Information Privacy.

FAQs.

What qualifies as protected health information under HIPAA?

PHI is any individually identifiable health information about a person’s health status, care provided, or payment for care that is created or received by a covered entity or business associate and is maintained or transmitted in any form or medium.

Which records are included in HIPAA protection?

HIPAA covers clinical documentation, diagnostics, images, lab and pharmacy data, billing and claims, communications (email, messages, call recordings), device and sensor outputs, and operational artifacts like backups and logs—so long as they contain or can reveal an individual’s identity and health information.

How does HIPAA define identifiable health information?

Information is identifiable if it includes one or more of the 18 HIPAA Identifiers (such as name, detailed geography, dates, contact numbers, account and medical record numbers, biometric and image data) or any combination of data elements that could reasonably identify the individual.

What systems typically store HIPAA-protected records?

Common systems include EHR/EMR platforms, LIS/RIS/PACS, pharmacy and eMAR tools, practice management and billing, claims and clearinghouses, patient portals and mobile apps, contact center and CRM systems, analytics warehouses and registries, and device ecosystems such as wearables and remote monitoring hubs.