HIPAA: Scope and Definitions

Scope and Definitions [45 CFR 160.103]

Rule: HIPAA applies to covered entities and their business associates when handling protected health information (PHI).

Covered Entities

Entity Type	Examples
Healthcare providers	Hospitals, doctors, clinics, pharmacies, dentists
Health plans	Health insurers, HMOs, Medicare, Medicaid
Healthcare clearinghouses	Billing services, repricing companies

Business Associates

Organizations that perform services for covered entities involving access to PHI:

• Cloud service providers storing PHI
• Medical billing companies
• EHR vendors
• IT consultants with PHI access
• Attorneys, accountants with PHI access

Protected Health Information (PHI)

PHI is individually identifiable health information that:

1. Is created or received by a covered entity
2. Relates to physical/mental health, healthcare provision, or payment
3. Identifies or could identify the individual

The 18 HIPAA Identifiers

If ANY of these are present with health data, it’s PHI:

#	Identifier
1	Names
2	Geographic data (smaller than state)
3	Dates (except year) related to individual
4	Phone numbers
5	Fax numbers
6	Email addresses
7	Social Security numbers
8	Medical record numbers
9	Health plan beneficiary numbers
10	Account numbers
11	Certificate/license numbers
12	Vehicle identifiers
13	Device identifiers and serial numbers
14	Web URLs
15	IP addresses
16	Biometric identifiers
17	Full-face photos
18	Any other unique identifying number

De-identification

PHI becomes non-PHI when de-identified using either:

1. Expert Determination (§164.514(b)(1)) — Statistical expert certifies re-identification risk is very small
2. Safe Harbor (§164.514(b)(2)) — All 18 identifiers removed, no actual knowledge re-identification possible

What’s NOT Covered

Data Type	HIPAA Status
Employment records	Not PHI (even health data)
Student health records	FERPA applies, not HIPAA
Consumer health apps (non-CE)	Not HIPAA (FTC Act applies)
Research data (de-identified)	Not PHI

Citation

45 CFR 160.103 — Definitions