Which statement best describes protected health information (PHI) under HIPAA?

• A. Identifiable health information created or held by covered entities and their business associates.
• B. De-identified health information.
• C. Personal data not related to health care.
• D. Health information stored in non-healthcare contexts.

Answer: (A)

Protected health information (PHI) refers to health information that is identifiable and is created or received by covered entities (like doctors, hospitals) and their business associates, in any form, and relates to the individual’s past, present, or future health, the care provided, or the payment for that care. That matches the statement because it emphasizes identifiable health information and ties it to entities covered by HIPAA. De-identified data isn’t PHI because the identifiers are removed. Personal data not related to health care isn’t PHI, and health information isn’t limited to being stored in healthcare settings—the key factors are identifiability, health relevance, and the involvement of a covered entity or business associate.