Who Is Protected by HIPAA? Patients, Health Plan Members, and Their PHI Explained

Covered Entities Under HIPAA

HIPAA protects individuals when their health information is handled by specific organizations called covered entities. These include health care providers that conduct standard electronic transactions, health plans (such as employer-sponsored group health plans, insurers, and HMOs), and health care clearinghouses. If you are a patient or a health plan member, your information is protected when these entities create, receive, maintain, or transmit it.

Business associates and subcontractors

Vendors that handle PHI for a covered entity—such as billing companies, cloud hosts, e-prescribing networks, or analytics firms—are business associates. They must follow HIPAA through contracts known as Business Associate Agreements. Subcontractors that access PHI are also bound by the same obligations.

Hybrid entities and when HIPAA applies

Organizations performing both covered and non-covered functions (for example, a university with a clinic) may designate themselves as hybrid entities. HIPAA applies to their health care components, not to unrelated business units. The key question is whether a covered entity or its business associate is performing a covered function.

Definition of Protected Health Information

Protected Health Information (PHI) is individually identifiable health information that relates to a person’s past, present, or future physical or mental health or condition, the provision of health care, or payment for care, and that can identify the individual. PHI is protected when held or transmitted by a covered entity or business associate in any form—electronic, paper, or oral.

PHI vs. de-identified information

Information that has been de-identified so that it cannot reasonably identify someone is not PHI. De-identification typically occurs by removing specific PHI identifiers (safe harbor) or applying expert analysis showing a very small risk of re-identification. Limited data sets, which exclude certain direct identifiers, may be used for research and public health with a data use agreement.

Types of PHI Identifiers

PHI identifiers are data elements that can directly or indirectly identify a person. Common PHI identifiers include:

• Names.
• Geographic details smaller than a state (street address, city, county, ZIP code) and related geolocation details.
• All elements of dates (except year) related to an individual, including birth, admission, discharge, and death; ages over 89 are aggregated.
• Telephone numbers and fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers (for example, Medicare or plan member IDs).
• Account numbers.
• Certificate and license numbers.
• Vehicle identifiers and license plate numbers.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric identifiers (for example, fingerprints or voiceprints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code that could identify the individual.

Forms of PHI

Electronic PHI (ePHI)

ePHI includes digital records in EHRs, patient portals, email, text messages, imaging files, and backups. The HIPAA Security Rule requires administrative, physical, and technical safeguards such as access controls, encryption, audit logs, and secure transmission. Mobile devices and remote work arrangements must be covered by the same protections.

Paper and oral PHI

Printed charts, discharge summaries, faxes, and verbal disclosures are also PHI. Policies such as “minimum necessary,” secure disposal, privacy screens, and private consultation spaces help reduce unauthorized access or overhearing.

Individual Rights Under HIPAA

HIPAA grants Individual Rights so you can understand and control how your PHI is used:

• Right of access: obtain and inspect copies of your PHI, including electronic copies in the format requested if readily producible, within set time frames and at a reasonable, cost-based fee.
• Right to request amendments: ask for corrections to inaccurate or incomplete PHI; denials require a written reason and allow you to submit a statement of disagreement.
• Right to an accounting of disclosures: receive a record of certain non-routine disclosures.
• Right to request restrictions: ask a provider to limit disclosures to a health plan for a specific service when you pay out-of-pocket in full; providers must honor this limited restriction.
• Right to confidential communications: request alternative contact methods or locations, such as a different mailing address or phone number.
• Right to receive a Notice of Privacy Practices explaining how your PHI may be used and your options to complain.

Office for Civil Rights Enforcement within HHS investigates complaints, conducts audits, and can require corrective actions and civil monetary penalties. You may file a complaint with your provider or plan, and with OCR, without fear of retaliation.

Exclusions from PHI Protection

Some information is outside HIPAA’s PHI scope:

• Employment records held by a covered entity in its role as employer.
• Education records protected by FERPA and certain treatment records of students.
• De-identified data that no longer contains PHI identifiers, and aggregate statistics derived from PHI.
• Information about an individual deceased for more than 50 years.
• Consumer-generated health data in apps or devices when the developer is not a covered entity or business associate; such data may instead fall under state Data Privacy Acts or other consumer protection laws.

State Laws Impacting Health Data Privacy

HIPAA sets a federal baseline, but it does not preempt state laws that are more protective of privacy. Many states impose stricter rules for sensitive categories such as mental health records, substance use disorder treatment, HIV status, genetic information, and reproductive health data.

Broad Data Privacy Acts—such as those in California, Virginia, Colorado, Connecticut, and Utah—regulate personal data, including certain health-related data outside HIPAA. Some states also have consumer health data laws that directly cover non-HIPAA health data (for example, Washington’s My Health My Data Act and Nevada’s consumer health data privacy law). Separate state breach-notification statutes can require additional notices beyond HIPAA’s Breach Notification Rule.

For multi-state providers and digital health companies, the practical approach is to meet HIPAA requirements while mapping where state rules are “more stringent,” then applying the strictest standard across affected jurisdictions.

Conclusion

HIPAA protects patients and health plan members by safeguarding Protected Health Information, defining PHI identifiers, and granting robust Individual Rights. Covered Entities and their business associates must secure PHI in every form, while state privacy laws can add stronger protections—especially for sensitive data and non-HIPAA contexts. Understanding where HIPAA applies, what counts as PHI, and how rights work helps you make informed choices about your health data.

FAQs

Who qualifies as a covered entity under HIPAA?

Covered entities include health care providers that conduct standard electronic transactions (like billing), health plans such as insurers, HMOs, and employer-sponsored group health plans, and health care clearinghouses that standardize transaction data. Vendors that handle PHI for these entities are business associates and must comply through Business Associate Agreements.

What information is considered Protected Health Information?

Protected Health Information is individually identifiable health information related to your health status, care, or payment that can identify you and is created or received by a covered entity or its business associate. It includes details such as names, addresses, dates, medical record numbers, and health plan beneficiary numbers, and it exists in electronic, paper, and oral forms.

How does HIPAA protect patient confidentiality?

HIPAA sets rules for when PHI can be used or disclosed, requires the “minimum necessary” standard, and mandates safeguards for electronic PHI. It also requires notices to individuals, grants rights to access and amend, and enforces compliance through the Office for Civil Rights Enforcement, which can require corrective actions and impose penalties for violations.

What rights do individuals have regarding their PHI?

You can access and receive copies of your PHI, request corrections, obtain an accounting of certain disclosures, ask for restrictions (including limiting plan disclosures when you pay in full), request confidential communications, and receive a Notice of Privacy Practices. You may file complaints with your provider or plan and with HHS’s Office for Civil Rights if your rights are not respected.