What HIPAA Protects: Understanding Protected Health Information

Protected Health Information (PHI) is at the heart of patient privacy, and understanding what HIPAA protects is essential for healthcare organisations and their partners. 

This guide breaks down the types of information covered, how it must be handled, and the safeguards required to keep patient data secure, helping you stay compliant and protect sensitive health information.

Definition of Protected Health Information (PHI)

Protected health information refers to individually identifiable health information that covered entities create, receive, maintain, or transmit. It covers data about your past, present, or future physical or mental health conditions, the healthcare you receive, and payments for those services.

A simple three-part test determines if information qualifies as PHI:

• Does it relate to health, treatment, or payment for health care?
• Can it identify a specific individual?
• Is it held by a covered entity or business associate?

When all three answers are yes, the information is protected under HIPAA.

Examples of PHI include:

• Medical records and diagnoses
• Laboratory and test results
• Prescription drug histories
• Billing records and insurance claims
• Treatment plans and therapy notes
• Verbal conversations containing patient information

Health information becomes non-protected when stripped of all identifying details through proper de-identification methods. Aggregate statistical data without individual identifiers falls outside HIPAA’s scope.

Types of Information HIPAA Protects

Personal Identifiers

HIPAA regulations specify 18 identifiers that transform health data into protected health information:

• Names
• Geographic subdivisions smaller than a state (street addresses, cities, zip codes)
• Dates directly related to an individual (birth date, admission date, discharge date, death date – except year)
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate or license numbers
• Vehicle identifiers and license plate numbers
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (fingerprints, voice prints)
• Full-face photographs
• Any other unique identifying number, characteristic, or code

When any of these identifiers appear alongside health information within a covered entity’s records, that data becomes PHI requiring protection.

Health Information Categories

HIPAA protects several categories of healthcare data:

Clinical Information

• Medical diagnoses and conditions
• Treatment plans and progress notes
• Mental health records and therapy documentation
• Laboratory results and imaging reports
• Surgical records and procedure notes

Prescription and Medication Records

• Current and past medications
• Prescription histories
• Pharmacy dispensing records
• Medication allergies and reactions

Financial and Administrative Data

• Billing services records
• Payment histories
• Insurance claims and coverage details
• Explanation of benefits statements
• Prior authorisation documentation

Communication Records

• Appointment scheduling information
• Patient correspondence
• Referral documentation
• Care coordination notes

Who Must Protect This Information

Covered Entities

The Department of Health and Human Services identifies three categories of covered entities under HIPAA rules:

Healthcare Providers: Any healthcare provider who electronically transmits health information in connection with standard transactions. This includes physicians, hospitals, clinics, dentists, pharmacies, nursing homes, and mental health professionals who bill electronically.

Health Plans Organisations providing or paying for health insurance coverage fall under HIPAA jurisdiction. This includes:

• Health insurers and health maintenance organisations
• Group health plan administrators
• Employer-sponsored health plans
• Medicare and Medicaid programs
• Medicare supplement insurers
• Prescription drug insurers
• Individual health insurance policy providers

Healthcare Clearinghouses: Health care clearinghouses process nonstandard health information into standard formats. They serve as intermediaries between healthcare providers and health plans.

Business Associates

Third-party vendors handling PHI on behalf of covered entities become business associates with their own HIPAA compliance obligations.

Common business associates include:

• Billing and claims processing companies
• IT support and software vendors
• Cloud storage providers
• Legal and accounting services
• Transcription services
• Shredding and disposal companies
• Consultants with PHI access

Business associate agreements establish contractual obligations for protecting patient data. These contracts specify permitted uses of PHI, required safeguards, breach notification duties, and subcontractor requirements.

How HIPAA Protects Information

Privacy Rule Protections

The HIPAA Privacy Rule governs how covered entities and business associates may use and disclose protected health information.

Permitted Disclosures Without Authorisation

• Treatment, payment, and healthcare operations
• Public health activities and reporting
• Situations involving a serious and imminent threat
• Judicial and administrative proceedings
• Law enforcement officials for specific purposes
• Health oversight activities (e.g., audits, inspections, investigations)

Authorisation Requirements Most other uses require written patient authorisation. Marketing communications and the sale of PHI need explicit consent.

Minimum Necessary Standard: Organisations must limit PHI access to the minimum amount needed for a specific purpose. Staff members only view information relevant to their job functions.

Patient Privacy Notices Covered entities must provide clear notices explaining privacy practices, patient rights, and organisational duties.

Individual Rights Protected by HIPAA

HIPAA grants patients specific rights regarding their personal health information:

Right to Access: You may obtain copies of your medical records and other PHI. Covered entities must respond within 30 days and may charge reasonable fees for copies.

Right to Request Corrections: Patients may request amendments to their health records when they believe they contain errors. Organisations must respond to amendment requests within 60 days.

Right to Accounting of Disclosures You may request a list showing who received your PHI and why, covering disclosures outside treatment, payment, and health care operations.

Right to Request Restrictions: Patients may request that covered entities limit how they use or disclose PHI. Organisations aren’t required to agree, except for disclosures to health plans when you pay out-of-pocket in full.

Right to Confidential Communications You may request that organisations contact you through specific channels or at alternative addresses to protect your privacy.

Right to File Complaints: Patients may report HIPAA violations to covered entities or directly to the Office for Civil Rights within the Department of Health and Human Services. Retaliation against employees who file complaints violates federal law.

What HIPAA Does NOT Protect

Understanding HIPAA’s limitations clarifies when other protections—or none—may apply.

De-identified Information: Health information stripped of all 18 identifiers through approved methods no longer qualifies as PHI. Researchers and analysts may use de-identified data without HIPAA restrictions.

Employment Records Medical information in employment files held by covered entities acting as employers falls outside HIPAA’s scope. Separate employment laws may provide some protection.

Education Records Student health records covered by the Family Educational Rights and Privacy Act (FERPA) receive protection under that statute, not HIPAA.

Non-Covered Entities: Health information held by organisations that aren’t covered entities or business associates is not protected under HIPAA. 

This includes:

• Many wellness apps and wearable devices
• Life insurance companies
• Schools (unless operating as healthcare providers)
• Employers not acting as covered entities

Deceased Individuals’ PHI protection continues for 50 years after death. After that period, HIPAA protections no longer apply.

Compliance Requirements for Organisations

Covered entities and business associates must implement programs addressing multiple HIPAA requirements.

Risk Assessment: Conduct documented risk analysis to identify vulnerabilities. Update assessments when technology, operations, or threats change. Implement appropriate data security measures based on findings.

Policies and Procedures: Develop written documentation covering:

• PHI handling and storage
• Access management
• Breach response
• Complaint procedures
• Sanction policies

Workforce Training: Train all employees on HIPAA regulations relevant to their roles. Document training completion and provide refresher education periodically.

Incident Response: Establish procedures for detecting, investigating, and reporting breaches. The Breach Notification Rule requires notifying affected individuals, the Health and Human Services, and sometimes media outlets.

Documentation and Audits: Maintain records of compliance activities for six years. Implement audit trails tracking who accessed patient data and when.

Conclusion

In conclusion, Protected Health Information (PHI) is central to patient privacy, and HIPAA sets clear rules to guarantee its security. By understanding what qualifies as PHI, patients’ rights, and the responsibilities of covered entities and business associates, healthcare organisations can implement effective safeguards and compliance programs. 

Proper risk assessments, workforce training, policies, and documentation not only protect sensitive health information but also help organisations stay audit-ready and reduce the risk of breaches and penalties.

Frequently Asked Questions

Does HIPAA protect all health information?

No. HIPAA only applies to protected health information held by covered entities and business associates. Your fitness tracker data, personal health record application entries, and information shared with non-covered entities may have no federal protection. State laws sometimes fill these gaps.

How long does HIPAA protect health information?

HIPAA protects your PHI for your lifetime and 50 years after death. Organisations must maintain privacy and security practices throughout this period. After 50 years, the information may be disclosed without HIPAA restrictions.

Can family members access protected health information?

Family involvement depends on circumstances. Healthcare providers may share relevant information with family members involved in your care unless you object. Personal representatives – those with legal authority, such as a healthcare power of attorney, generally have the same rights as patients. Parents typically have access to their minor children’s records, with some exceptions for sensitive health information.

Note: This content was written with AI assistance.