Individually identifiable health information is considered PHI protected under HIPAA when ALL of the following apply:
- Obtained from a covered entity (healthcare provider, plan, or clearinghouse)
- Containing any direct or indirect identifiers from a defined “HIPAA identifiers” list
- About health, healthcare, and/or payment for healthcare
See Research A-Z webpages HIPAA and Protected Health Information (PHI).