Individually identifiable health information (IIHI) is any health-related data that can be tied back to a specific person. Under HIPAA, it covers information about someone’s past, present, or future physical or mental health, any health care they received, or any payment for that care, as long as it includes details that identify the person or could reasonably be used to identify them. This definition is the foundation of nearly every privacy protection in U.S. health care.
What Counts as IIHI
For information to qualify as IIHI, it must meet two conditions at the same time. First, it has to relate to a person’s health, their health care, or how that care was paid for. Second, it has to either directly identify the person (like including their name) or contain enough detail that someone could reasonably figure out who they are.
That second condition is broader than most people expect. A medical record with a patient’s name attached is an obvious example. But a billing statement that includes a date of service, a ZIP code, and a diagnosis could also qualify if those details, taken together, could point back to a specific individual. Demographic data like age, gender, and address count too, as long as they’re paired with health information. The standard isn’t whether someone *has* identified the person, but whether they reasonably *could*.
IIHI vs. Protected Health Information
These two terms are closely related but not identical. Protected health information (PHI) is a subset of IIHI. The difference comes down to who holds the data. IIHI becomes PHI when it is created, received, maintained, or transmitted by a covered entity or its business associate. In practical terms, the same medical record sitting in a hospital’s system is PHI, but the same information written in a personal journal at home is not, because it was never handled by an organization that HIPAA regulates.
Covered entities fall into three categories: health care providers (doctors, clinics, pharmacies, nursing homes, dentists, psychologists) who transmit information electronically, health plans (insurance companies, HMOs, employer health plans, Medicare, Medicaid), and health care clearinghouses that process claims data. Any outside company these entities hire to handle health data, like a billing service or cloud storage provider, becomes a business associate and takes on its own HIPAA obligations through a written contract.
The 18 Identifiers That Make Data Identifiable
HIPAA spells out 18 specific data points that can make health information identifiable. These identifiers apply not just to the patient but also to their relatives, employers, and household members. The full list:
- Names
- Geographic data smaller than a state (street address, city, county, ZIP code), though the first three digits of a ZIP code can sometimes be kept if the area has more than 20,000 people
- Dates directly related to an individual (birth date, admission date, discharge date, death date), except the year alone is permitted; all ages over 89 must be grouped into a single “90 or older” category
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and serial numbers, including license plates
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographs or comparable images
- Any other unique identifying number, characteristic, or code
These 18 identifiers matter most when organizations want to strip data of its identifying features, a process called de-identification. If you remove all 18 and have no reason to believe the remaining data could still identify someone, the information is no longer considered IIHI under the Safe Harbor method. An alternative path, called Expert Determination, uses a qualified statistician to certify that the risk of identifying any individual from the remaining data is very small.
How IIHI Applies to Websites and Digital Tracking
The rise of tracking technologies on health care websites has pushed the definition of IIHI into new territory. Cookies, tracking pixels, session replay scripts, and fingerprinting tools all collect user data, and when a hospital or health plan’s website uses them, the information captured can qualify as IIHI.
HHS has stated that IIHI collected on a covered entity’s website or app is generally PHI, even if the visitor has no existing relationship with that organization and even if the data doesn’t include specific treatment or billing details. An IP address or geographic location collected from someone browsing a hospital’s oncology page to explore treatment options for their own cancer, for example, could be considered PHI because the browsing activity is connected to that person’s health.
There is a limit, though. Simply visiting a webpage that lists health conditions or health care providers doesn’t automatically create IIHI. If a user’s visit isn’t related to their own past, present, or future health care, connecting their IP address to that page visit alone isn’t enough. The information has to be both identifiable and related to the individual’s health or health care. A 2024 federal court ruling in Texas further narrowed HHS’s guidance on this point, vacating the portion that said HIPAA obligations are triggered whenever an IP address is connected to a visit to a public webpage about specific health conditions. HHS is still evaluating next steps.
What HIPAA Does Not Cover
Not all health-related information about you falls under HIPAA. The law only applies to covered entities and their business associates. Your employer’s personnel files, even if they contain health details from a fitness-for-duty exam, are not PHI unless they were received from a covered entity acting in its health care capacity. Student health records held by a school are typically governed by FERPA, not HIPAA. Health data you share with a fitness app or a consumer DNA testing company generally falls outside HIPAA’s reach too, because those companies are not covered entities.
This gap catches many people off guard. The same diagnosis on paper could be HIPAA-protected in one setting and completely unprotected in another, depending entirely on who holds the data and how they received it.
Penalties for Mishandling IIHI
When IIHI becomes PHI in the hands of a covered entity, mishandling it carries real financial consequences. HIPAA’s civil penalty structure has four tiers based on the level of fault:
- Tier 1, lack of knowledge: $141 to $71,162 per violation
- Tier 2, reasonable cause without willful neglect: $1,424 to $71,162 per violation
- Tier 3, willful neglect corrected within 30 days: $14,232 to $71,162 per violation
- Tier 4, willful neglect not corrected within 30 days: $71,162 to $2,134,831 per violation
Each tier carries an annual cap of roughly $2.13 million for repeated violations of the same provision. These penalty amounts were updated in August 2024. Criminal penalties, handled by the Department of Justice, can go further for cases involving intentional misuse of health information.
Why the Definition Matters in Practice
Understanding what qualifies as IIHI shapes how your data gets handled at every touchpoint in the health care system. It determines whether a researcher can use your medical records without asking permission (they can, if the data has been properly de-identified). It governs whether a hospital can share your information with a third-party analytics vendor (only with a business associate agreement in place). And it increasingly affects what happens when you visit a health care website, since the data collected by tracking tools may carry the same legal protections as the chart in your doctor’s office.