Information that is subject to HIPAA
Health information is "individually identifiable health information" for HIPAA purposes if it:
- Is created or received by a health plan, health provider, health care clearinghouse, employer, or certain other entities; and
- Relates to an individual's past, present, or future physical or mental health condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to the individual.
When individually identifiable health information is created or received by a HIPAA covered entity (or a business associate acting on a covered entity's behalf) it becomes PHI that is subject to HIPAA's privacy requirements. In addition, PHI in electronic form is subject to HIPAA's security requirements. For example, enrollment information that is received by a health plan (a HIPAA covered entity) is PHI as to the plan and is therefore subject to HIPAA's privacy requirements.
Unless PHI is used or disclosed for specified purposes (for example, treatment or payment), a covered entity must obtain an authorization from the individual who is the subject of the information in order to use or disclose it. In addition, a covered entity can use or disclose PHI without obtaining an individual's authorization if the use or disclosure is required by law or regarding judicial/administrative proceedings (for example, in response to a court order).
Understand the basics of HIPAA ensures your law firm complies with regulations affecting medical data privacy.
legal.thomsonreuters.com
Paragraph 2
the provision of health care to an individual,