HIPAA Privacy Rule Information & Resources


Protected health information (PHI) is health information that:

  1. is transmitted or maintained in any form (electronic, oral, paper) by a covered entity; and
  2. identifies the individual or could reasonably be used to identify the individual; and
  3. relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.

What kinds of information could identify or reasonably identify the individual? 

Any of the following information for the individual, relative, employer, or household member of the individual are examples if the 18 HIPAA identifiers:

  • Name, street address, city, county, precinct, zip code, geocodes smaller than state
  • Date of birth, ages > 89 years of age, or other dates such as diagnosis dates, procedure dates, admission or discharge dates
  • Telephone numbers, Fax numbers, E-mail addresses, Social Security number, Medical record number
  • Health plan beneficiary numbers, Account numbers, Certificate/license numbers
  • Any other combination of an unique identifying number, characteristic, or code (i.e. identifiable information from the EPIC media tab, free text fields in the EMR, etc.)
  • Vehicle identifiers and serial numbers or license numbers, Device identifiers and serial numbers
  • Web URLs, Internet Protocol (IP) address numbers, Biometric identifiers including finger/voice prints
  • Full face photographic images and any comparable images

Covered entity is a:

  1. health plan;
  2. health care clearinghouse (billing service); or
  3. health care provider that transmits health information electronically.

Key points:

  • The Privacy rule applies only to individually identifiable health information that is maintained by a covered entity.
  • If the health information is individually identifiable and if it is held by a covered entity, it is likely to be "protected health information."
  • The University of Iowa is considered a "hybrid entity" because it is a single legal component with both covered (e.g., UI Health Care, student health, College of Dentistry) and non-covered functions.


University of Iowa: