NRPM: Standards for Privacy of Individually Identifiable Health Information. 2. Covered information.


We propose to apply the standards in this proposed regulation to individually identifiable health information that is or has been electronically transmitted or maintained by a covered entity, including such information when it is in non-electronic form (e.g., printed on paper) or discussed orally. In this proposed regulation, such information is referred to as “protected health information.” See discussion of the definition in section II.B. Under HIPAA, our authority to promulgate privacy standards extends to all individually identifiable health information, in any form, maintained or transmitted by a covered entity. For reasons discussed below, we are proposing to limit the application of the proposed standards to protected health information. Below we invite comment on whether we should apply the standards to a broader set of individually identifiable health information in the future.

Under the proposal, the standards apply to information, not to specific records. Thus, once protected health information is transmitted or maintained electronically, the protections afforded by this regulation would apply to the information in any form and continue to apply as the information is printed, discussed orally or otherwise changed in form. It would also apply to the original paper version of information that is at some point transmitted electronically. The authority for, and implications of, this scope are discussed in detail in this section, below.

This proposed regulation would not apply to information that has never been electronically maintained or transmitted by a covered entity.