HIPAA covers information related to transactions for which the United States Department for Health and Human Sciences (HHS) has adopted a standard. This means that the information covered may, and likely will, evolve over time as more standards are agreed. 

Protected health information relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual (§2791(b)(2) of the Public Health Service Act 1944, Title 42 United States Code). Protected health information by definition must, therefore, by be identifiable as relating to an individual. 

There are 18 features that can be used to identify, contact, or locate an individual. When any one (or more) of these are combined with health information, that information becomes identifiable and is therefore protected:

• Names (full or last name and initial)
• All geographical identifiers smaller than a state, except for the initial three digits of a zip code if this defines an area containing at least 20,000 people
• Dates (other than year) directly related to an individual
• Phone numbers
• Fax numbers
• Email addresses
• Social security numbers
• Medical record numbers
• Health insurance beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers (including serial numbers and license plate numbers)
• Device identifiers and serial numbers;
• Web Uniform Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger, retinal, and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

An organization must comply with HIPAA if they are a covered entity. Covered entities are defined as being either a healthcare provider, a health plan, or a healthcare clearinghouse (an intermediary company working between healthcare providers and insurance companies), as shown in the following table:

Organizations that are not covered entities may still need HIPAA-compliant systems if the PHI is sourced from a covered entity. It makes sense that this covers medical research in which the PHI is sourced from a hospital or physicians are involved with a clinical trial; however, this includes looser interactions such as HR departments' storage of occupational health emails, managers' storage of sick notes, or lawyers' storage of files after litigation.