When does HIPAA apply to biomedical material?

HIPAA applies to biomedical material when it includes personal identifiers that can link it to an individual.

Defining protected health information

The HIPAA Privacy Rule protects protected health information (PHI) by limiting who can access and disclose your PHI without your consent. The HHS defines it as, “...information, including demographic data, that relates to:

• the individual's past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.”

PHI refers to any information in a medical record that can identify an individual and that was created, used, or disclosed in the course of providing a health care service, such as a diagnosis or treatment. It can include medical records, billing records, and any other data that a healthcare provider has used to make decisions about your health. PHI is not just about your medical condition. 

When is biomedical material considered PHI

Biomedical material is considered PHI when it contains identifiers that can link it to an individual. This includes material like blood samples, biopsies, and genetic data. If these contain personal details such as names, dates, or medical records numbers, they fall under PHI. This classification triggers HIPAA protections. 

When is biomedical information, not PHI? 

HIPAA does not apply to biomedical information under the following circumstances:

• The information has been completely de-identified, removing all personal identifiers according to HIPAA standards and ready to be used in research.
• It is contained in the records of a person who has been deceased for more than 50 years.
• It is part of a data set used for education or training, where all identifiers have been securely removed.
• It is used for employment records, even if the records include health-related information, as long as the employer is not a healthcare provider engaging in standard HIPAA transactions.
• It is part of a research study where the Privacy Board has approved a waiver of HIPAA requirements.
• It involves records that are not transmitted or maintained in electronic form nor transactions that HIPAA typically covers.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What is HIPAA? 

HIPAA is a U.S. law that protects the privacy of individuals' medical records and other personal health information.

What is ePHI? 

Electronic Protected Health Information is any health information that is held or transferred in electronic form and is protected under HIPAA.

What is the minimum necessary standard?

The minimum necessary standard is a HIPAA requirement that mandates healthcare providers and organizations to access, use, or disclose only the least amount of personal health information needed to perform a task.