Individually identifiable health information:
- Except as provided in paragraph (2) of this definition, that is:
- Transmitted by electronic media;
- Maintained in any medium described in the definition of electronic media at § 162.103 of this subchapter; or
- Transmitted or maintained in any other form or medium.
- Transmitted by electronic media;
- Protected health information excludes individually identifiable health information in:
- Education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; and
- Records described at 20 U.S.C. 1232g(a)(4)(B)(iv).
- Education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; and
PHI includes references to not only the patient, but also their relatives, employers, or household members.
The items that constitute PHI:
- Name
- Address
- Phone Numbers
- Fax Number
- Dates (birth, death, admission, discharge, etc.)
- Social Security Number
- E-mail Address
- Medical Record Numbers
- Health Plan Beneficiary Numbers
- Account Numbers
- Certificate or License Numbers
- Vehicle Identifiers and Serial Numbers, including license plate numbers
- Device Identifiers and Serial Numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) Address Numbers
- Biometric Identifiers, including finger and voice prints
- Full Face Photographic Images and any comparable images
- Any other unique identifying number, characteristic, or code
- Patient's Medical History
Exclusion for Employment Records
The final Rule clarifies that employment records maintained by a covered entity in its capacity as an employer are
excluded
from the definition of protected health information. The modifications do not change the fact that individually identifiable health information created, received, or maintained by a covered entity in its health care capacity is protected health information.