The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the Congress of the United States of America. HIPAA includes a Privacy Rule regulating the use and disclosure of protected health information (PHI), a Security Rule defining security safeguards required for electronic protected health information (ePHI), and an Enforcement Rule that defines procedures for violation investigations and penalties for confirmed violations.

PHI is defined as individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, excluding certain educational and employment records. Individually identifiable means the identity of the subject is or may readily be ascertained by the investigator or associated with the information.

This policy is designed to detect electronic PHI, which contains a personal health number in addition to health-related terminology. Some false negatives may occur since combinations of personally identifiable information, such as name and address, would not be considered as ePHI with this policy. Internal research indicates that the majority of health communication will contain a personal health number in addition to health-related terminology.