1. Identifies an individual: This means the information can be used to identify a specific person. Examples include:
* Direct identifiers: Name, address (including street address, city, county, precinct, zip code, and geographic coordinates), all elements of dates (except year) related to an individual, telephone numbers, fax numbers, email addresses, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers, including license plate numbers, device identifiers and serial numbers, web universal resource locators (URLs), internet protocol (IP) address numbers, biometric identifiers, including finger and voice prints, full-face photographic images and any comparable images, and any other unique identifying number, characteristic, or code.
* Indirect identifiers: Information that, while not directly identifying, could reasonably be used to identify an individual in conjunction with other readily available information. Examples might include age (if combined with other identifying information), employment information, or even a description like "the only female patient with a specific rare condition treated at this hospital." The context is key here; information that's not identifying in isolation could become PHI when combined with other data.
2. Relates to the individual's past, present, or future physical or mental health or condition: This includes diagnoses, symptoms, test results, treatment plans, and other health-related information. It also includes information about the individual's provision of healthcare.
3. Relates to the provision of healthcare to the individual; or the past, present, or future payment for the provision of healthcare to the individual: This encompasses billing information, insurance details, and other payment-related data.
Therefore, a piece of information would be considered PHI only if it satisfies *all three* of these conditions. For example, a name alone is not PHI, nor is a diagnosis without an individual identifier. However, a patient's name combined with their diagnosis and treatment details *is* PHI.