The HIPAA Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information” (PHI).  

The Privacy Rule defines “Individually identifiable health information” as information, including demographic data, that relates to: 

• the individual’s past, present or future physical or mental health or condition
• the provision of health care to the individual
• the past, present, or future payment for the provision of healthcare to the individual
• that identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number)