What Health Information Is Protected
by the Privacy Rule?
Key Points:
- With certain exceptions, the Privacy Rule protects a subset of individually identifiable health information, known as protected health information or PHI, that is held or maintained by covered entities or their business associates acting for the covered entity.
- The Privacy Rule does not protect individually identifiable health information that is held or maintained by entities other than covered entities or business associates that create, use, or receive such information on behalf of the covered entity.
To understand the possible impact of the Privacy Rule on their work, researchers will need to understand what individually identifiable health information is and is not protected under the Rule. With certain exceptions, the Privacy Rule protects a certain type of individually identifiable health information, created or maintained by covered entities and their business associates acting for the covered entity. This information is known as “protected health information” or PHI.
The Privacy Rule defines PHI as individually identifiable health information, held or maintained by a covered entity or its business associates acting for the covered entity, that is transmitted or maintained in any form or medium (including the individually identifiable health information of non-U.S. citizens). This includes identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse. For purposes of the Privacy Rule, genetic information is considered to be health information.
There are, however, instances when individually identifiable health information held by a covered entity is not protected by the Privacy Rule. The Rule excludes from the definition of PHI individually identifiable health information that is maintained in education records covered by the Family Educational Right and Privacy Act (as amended, 20 U.S.C. 1232g) and records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records containing individually identifiable health information that are held by a covered entity in its role as an employer.
A critical point of the Privacy Rule is that it applies only to individually identifiable health information held or maintained by a covered entity or its business associate acting for the covered entity. Individually identifiable health information that is held by anyone other than a covered entity, including an independent researcher who is not a covered entity, is not protected by the Privacy Rule and may be used or disclosed without regard to the Privacy Rule. There may, however, be other Federal and State protections covering the information held by these entities that limit its use or disclosure.
When health information is individually identifiable and is held by a covered entity, it is likely to be PHI. In contrast, the HHS Protection of Human Subjects Regulations describe “private information” as including information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). Under the HHS Protection of Human Subjects Regulations, private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects unless data are obtained through intervention or interaction with the individual.
Area of Distinction |
HIPAA Privacy Rule |
HHS Protection of Human Subjects Regulations Title 45 CFR Part 46 |
FDA Protection of Human Subjects Regulations Title 21 CFR Parts 50 and 56 |
Identifiable Information |
Defines PHI as individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, excluding certain educational and employment records. |
Private information must be individually identifiable in order for obtaining the information to constitute research involving human subjects. Individually identifiable means the identity of the subject is or may readily be ascertained by the investigator or associated with the information. |
Title 21 CFR Parts 50 and 56 do not define individually identifiable health information. |