law is any information about health status, provision of health care, or payment for health care that is created or collected by a "Covered Entity" (or a Business Associate of a Covered Entity), and can be linked to a specific individual.
protects a subset of individually identifiable health information, known as protected health information or PHI, that is held or maintained by covered entities or their business associates acting for the covered entity. - The Privacy Rule does not protect individually identifiable health information that is held or maintained by entities other than covered entities or business associates that create, use, or receive such information on behalf of the covered entity.
(other than year) directly related to an individual • Biometric identifiers, including finger, retinal and voice prints • Full face photographic images and any comparable images
Security numbers • Medical record numbers • Health insurance beneficiary numbers • Account numbers • Certificate/license numbers • Vehicle identifiers and serial numbers, including license plate numbers • Device identifiers and serial numbers
except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data Just kiddin’. This statement puts no vagueness on the actual identification of PHI(s), a unique identifying number can be used to trace someone, so is a PHI and so on.
prints • URLs • IMEI • license numbers • any comparable images -- are all PHIs • Year in a date • the initial three digits of a zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000 -- aren’t PHIs, at least not yet
data collected in the course of providing and paying for health care. It is important to understand that the source of the data is as relevant as the data itself when determining if something is PHI under US law. For example, you may observe someone on the street with an obvious medical condition such as an amputation. US law does NOT restrict you from using or sharing that information. However, if you had obtained information about the amputation exclusively from a protected source, such as from an electronic medical record, the data would be protected.
need to check with your organization information security team and make sure you understand the full extent of HIPAA and PHI that falls under it. For more see: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/