What is Individually Identifiable Health Information?
Individually identifiable health information is information relating to an individual’s past, present, or future health condition, treatment for the condition, and payment for the treatment that identifies the individual or that could be used to identify the individual. It is important to be aware that information that could be used to identify an individual is not always Protected Health Information (PHI).
HIPAA and Individually Identifiable Health Information
Under HIPAA §160.103 , individually identifiable health information is defined as a subset of health information – including demographic information collected from an individual – created or received by a healthcare provider, health plan, employer, or health care clearinghouse that relates to the past, present, or future health condition, treatment for the condition, or payment for the treatment.
To qualify as individually identifiable health information under HIPAA, the information also has to identify the individual who is the subject of the health information, or could be used with other information maintained in the same designated record set to identify the individual. This can include names or other identifying information of friends, family members, and employers.
Covered Entities and Designated Record Sets
There are two reasons why “information that could be used to identify an individual is not always PHI”. The first is that the regulations for the “Privacy of Individually Identifiable Health Information” (the HIPAA Privacy Rule) only apply to organizations that qualify as covered entities. Not all healthcare providers qualify as covered entities (i.e., therapists that bill patients directly do not qualify as covered entities), and employers do not qualify as covered entities in their role as an employer.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The second reason is that medical and billing records are maintained in “designated record sets”. An individual can have multiple designated record sets maintained by the same organization either because they have received treatment from multiple departments or to manage access to PHI more easily. A single piece of health information can be PHI. So, for example, a signed HIPAA authorization form maintained in a document archive with no other medical information is a
Non-Health Identifying Information and PHI
When non-health identifying information – for example, an individual’s address – is maintained in a designated record set with individually identifiable health information – for example, a test result – the individual’s address assumes the same HIPAA Privacy Rule protections as the test result. However, when the address is maintained in a separate database with non-health information – for example, in a transportation database with fewer access privileges – it is not protected by the HIPAA Privacy Rule.
In this example, the address is PHI when it is the same designated record set as individually identifiable health information, but not PHI when it is maintained in a separate record set with other information that does not relate to an individual’s past, present, or future health condition, treatment for the condition, and payment for the treatment. It is important for healthcare providers to be aware of this distinction – and train workforce members on the distinction – to prevent bottlenecks in the flow of operational information.
The Misunderstanding about the 18 HIPAA Identifiers
In §164.514 of the HIPAA Privacy Rule, there is a list of 18 HIPAA identifiers that have to be removed from a designated record set before the designated record set can be considered de-identified under the safe harbor method. This list is sometime misinterpreted as a list of PHI identifiers that must be protected in every instance. This is not the case and – as explained above – the identifiers are only PHI when they are maintained alongside individually identifiable health information. When maintained by themselves, they are not protected by the HIPAA Privacy Rule.
It is also important to be aware that the list of 18 HIPAA identifiers was compiled at the end of the last century and is out of date. Since the list was originally compiled, more likely identifiers include social media aliases, Medicare Beneficiary identifiers, and details about emotional support animals, while codes such as IP addresses should no longer be necessarily considered HIPAA identifiers due to the increased use of VPNs, WLANs, and proxy Internet addresses.
Some State Laws Can Overlay HIPAA’s Definition
Several states have enacted medical record privacy laws that overlay HIPAA inasmuch as HIPAA provides a “federal floor” of privacy protections which states can overlay if they feel it is necessary to do so. In such cases, if a provision of state law offers more privacy protections or more patients’ rights than the equivalent provision of HIPAA, the state law applies for that provision. In all other cases, HIPAA still applies.
An example of a state law that frequently overlays HIPAA is California’s Confidentilaity of Medical Information Act (CMIA). This is relevant to a discussion about what is individually identifiable health information because, in September 2025, the Californian Senate enacted an amendment to the Act which requires a patient’s place of birth and immigration status to be classified as individually identifiable health information.
Conclusion – The Importance of Understanding IIHI
The importance of understanding individually identifiable health information (IIHI) is that not all IIHI is protected (if the owner of the information is not a covered entity or business associate) and that non-health information can be protected or not protected depending on how it is maintained. Covered entities and business associates concerned that they do not fully understand IIHI should seek professional compliance advice.
