is any individually identifiable health information, including genetic information and demographic information, collected from an individual, whether oral or recorded in any form or medium that is created or received by a covered entity.
PHI encompasses information that identifies an individual or might reasonably be used to identify an individual and relates to:
- The individual’s past, present or future physical or mental health or condition of an individual; OR
- The provision of health care to the individual; OR
- The past, present or future payment of health care to an individual
Information is deemed to identify an individual if it includes either the patient’s name or any other information that taken together or used with other information could enable someone to determine an individual’s identity. (For example: date of birth, medical records number, health plan beneficiary numbers, address, zip code, phone number, email address, fax number, IP address, license numbers, full face photographic images or Social Security Number.
PHI excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act (FERPA) (records described in 20 USC 1232g(a)(4)(B)(iv)) and employment records held by a covered entity in its role as employer. PHI also excludes information related to individuals who have been deceased for more than 50 years. (see also definitions of “health information” and “individually identifiable health information”)