What Information Is Protected by HIPAA Law?

HIPAA protects what’s formally called “protected health information,” or PHI. This is any individually identifiable health information held or transmitted by a healthcare provider, health plan, or health care clearinghouse, whether it’s stored electronically, written on paper, or spoken aloud. For data to qualify as PHI, it has to meet two conditions: it must relate to your health, your healthcare, or payment for your healthcare, and it must be linkable to you as an individual.

What Counts as Protected Health Information

PHI covers a broader range of data than most people realize. It’s not limited to your medical chart or test results. Under the HIPAA Privacy Rule, information qualifies as PHI if it relates to any of these three categories:

  • Your health or condition: past, present, or future physical or mental health, including diagnoses, symptoms, treatment plans, and mental health records.
  • Healthcare you’ve received: records of doctor visits, surgeries, prescriptions, therapy sessions, or any other care.
  • Payment for healthcare: billing records, insurance claims, payment history, and health plan beneficiary details.

The critical second piece is identifiability. A database showing that 10,000 anonymous patients have high blood pressure isn’t PHI. But the moment that data can be linked to a specific person, through a name, date of birth, address, or any other identifier, it becomes protected.

Genetic information is also explicitly included. A 2009 rule modification clarified that genetic data is health information under HIPAA, and health plans are prohibited from using it for underwriting purposes like setting premiums or determining eligibility.

The 18 Identifiers That Make Data PHI

HIPAA defines 18 specific data points that can link health information to an individual. If any of these are attached to health data, the combined record is PHI. These identifiers apply not just to the patient but also to their relatives, employers, and household members:

  • Names
  • Geographic data smaller than a state: street address, city, county, ZIP code (the first three digits of a ZIP code may be kept only if that three-digit zone has more than 20,000 people)
  • Dates related to the individual: birth date, admission date, discharge date, death date, and all ages over 89 (which must be grouped into a single “90 or older” category)
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate or license numbers
  • Vehicle identifiers: including license plate numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers: fingerprints, voiceprints
  • Full-face photographs or comparable images
  • Any other unique identifying number, characteristic, or code

That last catch-all category is intentionally broad. It means even a unique patient code assigned by a clinic counts as an identifier if it could be traced back to you.

Who Has to Follow HIPAA

HIPAA doesn’t apply to every organization that touches health data. It applies to three types of “covered entities”: healthcare providers (doctors, dentists, psychologists, clinics, pharmacies, nursing homes), health plans (insurance companies, HMOs, employer health plans, Medicare, Medicaid, veterans’ health programs), and healthcare clearinghouses (organizations that process health data between providers and insurers). Healthcare providers are only covered if they transmit information electronically for standard transactions like billing or insurance claims.

Beyond these, HIPAA also governs “business associates,” which are companies that handle PHI on behalf of a covered entity. Think of a cloud storage company hosting a hospital’s records, an IT firm managing a clinic’s network, or a billing service processing insurance claims. These business associates must sign written agreements committing to HIPAA’s protections and are directly liable for violations.

What HIPAA Does Not Cover

This is where many people get surprised. HIPAA has significant gaps. Your fitness tracker data, the health information you enter into a wellness app, and the data your smartwatch collects about your heart rate are typically not protected by HIPAA. These consumer products are usually made by companies that aren’t healthcare providers, health plans, or business associates, so HIPAA simply doesn’t apply to them. Instead, those companies fall under the Federal Trade Commission’s authority, including the FTC’s Health Breach Notification Rule, which requires them to notify you if your health data is compromised.

Employment records are another common blind spot. If your employer keeps health-related records (like a note from your doctor excusing an absence), those aren’t protected by HIPAA even though they contain health information. Similarly, health records maintained by schools are generally governed by a separate law called FERPA, not HIPAA.

Health information you voluntarily share on social media, with life insurance companies, or with employers through workplace wellness programs that aren’t part of a group health plan also falls outside HIPAA’s reach.

How Data Loses Its Protected Status

Health information stops being PHI once it’s been “de-identified,” meaning stripped of anything that could link it to a specific person. HIPAA allows two methods for doing this.

The Safe Harbor method requires removing all 18 identifiers listed above and confirming that the remaining data can’t be used, alone or combined with other available information, to identify anyone. The Expert Determination method allows a qualified statistician to analyze the data and certify that the risk of re-identification is “very small.” They must document their methods and conclusions. De-identified data can be freely used for research, analytics, and public health reporting without HIPAA restrictions.

Penalties for Violations

HIPAA violations carry civil penalties on a four-tier scale, with amounts updated annually for inflation. As of August 2024, the tiers work like this:

  • Tier 1, lack of knowledge: the organization didn’t know and couldn’t have reasonably known about the violation. Fines range from $141 to $71,162 per violation.
  • Tier 2, reasonable cause: the violation wasn’t due to willful neglect. Fines range from $1,424 to $71,162.
  • Tier 3, willful neglect, corrected promptly: the organization knew about the problem and fixed it within 30 days. Fines range from $14,232 to $71,162.
  • Tier 4, willful neglect, not corrected: fines start at $71,162 and can reach $2,134,831 per violation, with a calendar-year cap at that same amount.

Criminal violations, which involve knowingly obtaining or disclosing PHI, can result in prison time in addition to fines. The severity depends on whether the violation was committed under false pretenses or for personal gain.

Your Rights Under the Privacy Rule

HIPAA doesn’t just restrict who can see your data. It also gives you specific rights over it. You can request a copy of your medical records from any covered entity, and they’re required to provide it (usually within 30 days). You can ask for corrections if something is wrong. You can request an accounting of who your information has been disclosed to. And you can ask a provider or insurer to limit how your data is shared, though they aren’t always required to agree.

Covered entities must also give you a Notice of Privacy Practices explaining how they use and share your PHI. If you believe your rights have been violated, you can file a complaint with the U.S. Department of Health and Human Services’ Office for Civil Rights, which investigates HIPAA complaints and enforces the rules.