not constitute ( 1) an education record protected under the Family Educational
Rights and Privacy Act of 1974 (FERPA); 40 ( 2) a student treatment record
excepted from protection under FERPA; 41 ( 3) an employment record held by
a covered entity in its role as an employer; 42 or ( 4) individually identifiable
health information regarding a person who has been deceased for more than
50 years. 43 The name given by the Privacy Rule to the subset of IIHI
described in the previous sentence is protected health information (PHI). 44
Before using or disclosing PHI, the Privacy Rule requires covered entities
and BAs to adhere to one of three different rules depending on the purpose
of the information use or disclosure. 45 These rules reflect HHS’s desire to
appropriately balance the interest of individuals in maintaining the
confidentiality of their PHI with a wide range of societal interests in
obtaining, using, or disclosing PHI, some of which may have greater societal
importance and value than others. 46
The first rule allows covered entities and BAs to use and disclose PHI with
no prior permission from the individual who is the subject of the PHI—but
only in certain situations. That is, covered entities may freely use and disclose
PHI without any form of prior permission in order to carry out their own
received by a health care provider, health plan, employer, or health care clearinghouse; and
( 2) Relates to the past, present, or future physical or mental health or condition of an
individual; the provision of health care to an individual; or the past, present, or future payment
for the provision of health care to an individual; and ( i) That identifies the individual; or ( ii)
With respect to which there is a reasonable basis to believe the information can be used to
identify the individual.” See 45 C.F.R. § 160.103 (2016).
40. Id. § 160.103 (defining protected health information).
44. Id. (using the phrase protected health information).
45. Id. §§ 164.502–164.514 (setting forth the use and disclosure requirements applicable
to covered entities and business associates).
46. See text accompanying supra note 39.