b.) Individually Identifiable Health Information
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. “Individually identifiable health information” is information that identifies or reasonably lead to identification of an individual and relates to the individual’s: 1) past, present or future physical or mental health condition; 2) health care provisions; or 3) past, present, or future payment for health care provisions. Common identifiers include name, address, birth date, or Social Security Number.7 Individually identifiable health information subject to the Privacy Rule is “protected health information” (PHI). PHI does not include: 8 1) a covered entity’s employment records; 2) education records; or 3) certain other records subject to the Family Educational Rights and Privacy Act.9
.png)