What is covered under HIPAA?

Who Does HIPAA Apply To

Many patients will be aware of HIPAA, and know that it guarantees some protections for their privacy, but what is covered under HIPAA? What kinds of information are safeguarded by the Act? 

Despite its strong associations with patient privacy, only one section (Title II) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is concerned with healthcare data. The remainder of the Act covers tax provisions, expanding access to healthcare to those with pre-existing conditions, or the portability of health plans between jobs.

When Title II was first enacted, its aim was to prevent healthcare fraud and streamline healthcare administration. However, since 1996, it has expanded to contain six “Rules” that cover different topics. The Privacy Rule was enacted in 2002, and defines Protected Health Information as individually-identifiable information that concerns the past, current, or future health status of a patient. Additionally, PHI must be created, transmitted, or maintained by a HIPAA-covered entity and relate to the treatment of a patient, payment for that treatment, or other healthcare operations. The format (be it verbal, written, or electronic) does not matter – all PHI is covered by HIPAA.

HIPAA outlines 18 pieces of information (“identifiers”) that, if contained in health data, render it PHI. These pieces of information could reasonably be used to find the identify of the individual; if they are removed from the data, it is considered to be “anonymised” and is no longer PHI. The identifiers are as follows:


  1. Names (Full or last name and initial)
  2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
  3. Dates (other than year) directly related to an individual
  4. Phone Numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers (including serial numbers and license plate numbers)
  13. Device identifiers and serial numbers;
  14. Web Uniform Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger, retinal and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

HIPAA covers all healthcare providers, healthcare clearinghouses, health plans (all termed “covered entities”) and their business associates. If any of these entities fail to protect PHI, they are considered to be in violation of HIPAA and will face penalties from the Department for Health and Human Services. 

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/