...
“Protected Health Information (PHI)” means individually identifiable health information that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual and identifies or could reasonably be used to identify the individual. If a patient has been deceased for more than fifty (50) years, the PHI is no longer considered protected. This does is not a record retention requirement and covered entities may destroy medical records according to the State or other applicable laws. When individually identifiable health information is created, received, maintained or transmitted by a Business Associate and tied to a covered entity is considered PHI.
Except as provided in paragraph (b) of this definition that is:
transmitted by electronic media
maintained in electronic media
transmitted or maintained in any other form or medium
Protected health information excludes individually identifiable health information in:
Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g
Records described at 20 U.S.C. 1232g(a)(4)(B)(iv)
Employment records held by a covered entity in its role as employer
...