HIPAA Protected Health Information Definition

Guidelines governing the sharing or disclosure of HIPAA Patient Health Information


HIPAA Protected Health Information Definition? HIPAA is very comprehensive in terms of laying down guidelines governing the sharing or disclosure of Patient Health Information and has five separate titles dedicated to such stipulations. The HIPAA Title II is called Administrative Simplification or the AS. To ensure that the privacy of health information is upheld in the prevailing healthcare system, HIPAA emphasizes upon the AS stipulations, which in turn influences the DHHS to endorse national standards for electronic healthcare transactions.

AS is concerned with setting-up national standards for electronic healthcare transactions and benchmarks like identifiers for healthcare providers, health insurance plans and employers. The provisions laid down by the AS address the crucial issue of maintaining the security and privacy of a patient's health data. The most significant AS HHS (Department of Health & Human Services) Rules that are nationally recognized for this purpose are mentioned in [45 CFR §160, §162 and §164]. These rules are:

  • The Unique Identifiers Rule (National Provider Identifier)
  • The Enforcement Rule
  • The Privacy Rule
  • The Security Rule
  • The Transactions and Code Sets Rule

  • Exceptions Regarding HIPAA Protected Health Information

    There are some exceptions to the general understanding of PHI:

    1) In cases when the covered entity is the Employer - personal information about employees that is maintained as a part of the Employment Records is outside the realm of PHI.
    2) Information about an individual recorded as a part of educational pursuits, including professional training, is not PHI.
    3) Many specific clauses have been defined by the Family Educational Rights and Privacy Act (20 USC) where certain bits of information can be accessed/shared without the liability to inform the concerned individual.


    What is Protected Health Information (PHI)? Understanding De-identifiable Information - the Privacy Rule categorizes some significant exceptions to PHI in the form of De-identified Health Information. Information falling under this category can be disclosed without the fear of facing any HIPAA incompliance-related penalties. De-identifiable Information is regarded insufficient to compromise the privacy of an individual. Intentional de-identification of information is also possible when - a qualified statistician conducts the formal process of de-identifying information by removing specific bits of critical data called Identifiers. Following are some of the common identifiers that can be removed to render Protected Health Information as de-identifiable:


  • Geographic classifications that are smaller than a state (like district information)
  • Date-based bits of data
  • Fingerprints/voiceprints
  • Email IDs
  • IP details
  • SSN
  • Health plan beneficiary number(s)
  • PAN - Personal account numbers
  • URLs
  • Facsimile details
  • License plate numbers