What does HIPAA Protect?

healthcare cybersecurity

Common HIPAA MythsWe may know what HIPAA stands for and what the Act generally does, but what does HIPAA Protect? What kinds of information are information are covered by the Act? 

When the Health Insurance Portability and Accountability Act was first introduced in 1996, one of its main goals was to ensure that patient privacy was upheld. To achieve this goal, several subsequent “Rules” were added to the Act. One, the HIPAA Privacy Rule, stipulated how and when patient information could be used and disclosed; another, the HIPAA Security Rule, laid out what safeguards are required to keep electronic versions of these records safe. But what information is protected? 

HIPAA protects individually-identifiable health Information that is created, maintained, or transmitted by a HIPAA Covered Entity (CE) or their Business Associate (BA). The data must be used in a HIPAA-covered transaction, such as for treatment, healthcare operations, or payment for healthcare. 

The types of data that are protected may include diagnoses, test results, prescriptions, etc. These must “individually-identifiable”; that is, they must be able to be traced back to an individual person.

Identifiers are essentially any demographic data that can be used to trace the identity of an individual. 

The 18 “HIPAA Identifiers” are as follows: 


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

  • Names 
  • Geographical identifiers smaller than ZIP codes
  • Dates (other than year) directly related to an individual
  • Phone Numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health insurance beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers
  • Device identifiers and serial numbers;
  • Website URLs
  • IP address numbers
  • Biometric identifiers
  • Full-face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code

Any information held by a CE or BA, irrespective of its format, that contains these

data must be protected under HIPAA. If this information is accessed by unauthorized individuals, it leaves patients vulnerable to identity theft or fraud. Being the victim of such crimes can damage a patient’s credit score or cause their insurance premiums to increase. This makes PHI very valuable on the black market. 

Importantly, it does not matter how generic the identifier is – Jane Smith from New York City is equally as protected as Jane Smith from Geneva, New York. It would be impracticable for HIPAA to differentiate between these two types of information, but also it would not take that much more effort to identify one of these patients over the other, even if they live in a bigger city. 

PHI must not be disclosed unless the disclosure is in alignment with the HIPAA Privacy Rule. To ensure the proper disclosure of PHI, all employees should be trained in HIPAA compliance. 

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/