Many organizations don’t understand that not all health information is PHI and apply HIPAA more broadly than is required. This has implications for which organizations are considered Business Associates (because an organization must handle PHI to be considered a Business Associate) and how HIPAA is applied within Covered Entities and Business Associates. This post takes a deep dive into the definition of PHI to help organizations determine if and how HIPAA applies to them.
