The HIPAA Privacy Rule protects all "individually identifiable health information" held or transmitted by a healthcare provider in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information" (PHI).
PHI is information (including demographic data) that relates to:
- An individual's past, present or future physical or mental health or condition
- The provision of health care to the individual
- The past, present, or future payment for the provision of health care to the individual
All identifiers that can be used to identify an individual are protected. This includes many common identifiers (eg, name, address, birth date, Social Security Number).