Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Protected health information.

12/28/2000

We proposed to define "protected health information" to mean individually identifiable health information that is or has been electronically maintained or electronically transmitted by a covered entity, as well as such information when it takes any other form. For purposes of this definition, we proposed to define "electronically transmitted" as including information exchanged with a computer using electronic media, such as the movement of information from one location to another by magnetic or optical media, transmissions over the Internet, Extranet, leased lines, dial-up lines, private networks, telephone voice response, and "faxback" systems. We proposed that this definition not include "paper-to-paper" faxes, or person-to-person telephone calls, video teleconferencing, or messages left on voice-mail.

Further, "electronically maintained" was proposed to mean information stored by a computer or on any electronic medium from which the information may be retrieved by a computer, such as electronic memory chips, magnetic tape, magnetic disk, or compact disc optical media.

The proposal's definition explicitly excluded:

(1) individually identifiable health information that is part of an "education record" governed by the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. 1232g.

(2) individually identifiable health information of inmates of correctional facilities and detainees in detention facilities.

In this final rule we expand the definition of protected health information to encompasses all individually identifiable health information transmitted or maintained by a covered entity, regardless of form. Specifically, we delete the conditions for individually identifiable health information to be "electronically maintained" or "electronically transmitted" and the corresponding definitions of those terms. Instead, the final rule defines protected health information to be individually identifiable health information that is:

(1) transmitted by electronic media;

(2) maintained in any medium described in the definition of electronic media at § 162.103 of this subchapter; or

(3) transmitted or maintained in any other form or medium.

We refer to electronic media, as defined in § 162.103, which means the mode of electronic transmission. It includes the Internet (wide-open), Extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media.

The definition of protected health information is set out in this form to emphasize the severability of this provision. As discussed below, we believe we have ample legal authority to cover all individually identifiable health information transmitted or maintained by covered entities. We have structured the definition this way so that, if a court were to disagree with our view of our authority in this area, the rule would still be operational, albeit with respect to a more limited universe of information.

Other provisions of the rules below may also be severable, depending on their scope and operation. For example, if the rule itself provides a fallback, as it does with respect to the various discretionary uses and disclosures permitted under § 164.512, the provisions would be severable under case law.

The definition in the final rule retains the exception relating to individually identifiable health information in "education records" governed by FERPA. We also exclude the records described in 20 U.S.C. 1232g(a)(4)(B)(iv). These are records of students held by post-secondary educational institutions or of students 18 years of age or older, used exclusively for health care treatment and which have not been disclosed to anyone other than a health care provider at the student's request. (See discussion of FERPA above.)

We have removed the exception for individually identifiable health information of inmates of correctional facilities and detainees in detention facilities. Individually identifiable health information about inmates is protected health information under the final rule, and special rules for use and disclosure of the protected health information about inmates and their ability to exercise the rights granted in this rule are described below.