HIPAA is concerned with protected health information (PHI). Think of PHI as identifiable data, or personally identifiable information (PII), that is associated with health data. PII + health data = PHI. Health data can be health status (condition, medication, etc), payment for health services, and delivery of care.
To determine if data is PHI, one additional filter needs to be applied. According to Health and Human Services (HHS) - PHI is personal health information held by covered entities. Identifiable health data held by an Internet site or mobile app that is not owned or being used by a covered entity is not PHI. Many direct to consumer health companies, such as personal health record storage companies, are not covered entities so the identifiable health data they collect, store, and process is not PHI.
HIPAA is focused on traditional care delivery organizations and has not been updated to reflect new approaches to care, especially direct to consumer health offerings. As such, not all identifiable data is PHI.
While HIPAA remains behind the times when it comes to care delivery models, the definition of PII has evolved over the last several years with expanded digital footprints and new technologies. In addition to traditional items like names, social security numbers, medical records numbers, things like social media account names, IP addresses, cookies, and even web browser profiles can identify individuals or be used to trace the identity of individuals.
The US Government defines PII as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.”
PII does not have a strict list of items. It needs to be determined on a case by case basis considering different ways of combining data.
The rule of thumb you should follow is to use your best judgment in assessing if data is considered PII and, if combined with health data, is it PHI.