Was your question relating to health insurance?
Maybe the reason is that many on this forum are P&C people. HIPPA and PHI was always from the beginning about private health information. That didn't stop everyone from deeming everything under the sun as PHI. For a while I was seeing encrypted docs of renewing auto and HO policy's.
Protected Health Information Includes
Protected health information includes all individually identifiable health information, including demographic data, medical histories, test results, insurance information, and other information used to identify a patient or provide healthcare services or healthcare coverage
. ‘Protected’ means the information is protected under the HIPAA Privacy Rule.
"The HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections."
https://www.hhs.gov/hipaa/for-professio ... index.html
Protected health information is defined in the Code of Federal Regulations and applies to health records, but not education records which are covered by other federal regulations, and neither records held by a HIPAA-covered entity related to its role as an employer. In the case of an employee-patient, protected health information does not include information held on the employee by a covered entity in its role as an employer, only in its role as a healthcare provider.
PHI does not include individually identifiable health information of persons who have been deceased for more than 50 years.
What is Individually Identifiable Health Information?
When individually identifiable information is used by a HIPAA covered entity or business associate in relation to healthcare services or payment it is classed as protected health information.
There are 18 identifiers that can be used to identify, contact, or locate a person. If health information is used with any of these identifiers it is considered identifiable. If PHI has all of these identifiers removed, it is no longer considered to be protected health information. (see de-identification of protected health information)
Names (Full or last name and initial)
All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
Dates (other than year) directly related to an individual
Social Security numbers
Medical record numbers
Health insurance beneficiary numbers
Vehicle identifiers (including serial numbers and license plate numbers)
Device identifiers and serial numbers;
Web Uniform Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers, including finger, retinal and voice prints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
PHI Health Apps
There is some confusion around PHI and health apps as they often collect information that is classed as PHI when it is recorded or used by a healthcare provider. Health apps record information such as heart rate data and the data include personal identifiers. However, the data collected by these apps and trackers is not always covered by HIPAA Rules. App developers can be business associates, but in the most part they are not.
If a HIPAA covered entity develops a health app for use by patients or plan members and it collects, uses, stores, or transmits protected health information, the information must be protected in line with HIPAA Rules.
If a physician recommends a PHI health app be used by a patient, such as for tracking BMI or heart rate data, the information is not subject to HIPAA Rules as the app was not created for the physician.
A third-party health app developer would be classed as a business associate, and required to comply with HIPAA, if the app has been created for a HIPAA-covered entity and it collects, uses, stores, or transmits identifiable health information or if the developer is contracted with a HIPAA-covered entity to provide health monitoring services via the app.
PHI health app guidance was issued by OCR in 2016 and can be viewed on this link (PDF).