Skip to Main Content
Centers for Medicare & Medicaid Services

CMS PHI Posting Policy

Due to the requirements of the DHHS Privacy Rule, CMS will redact (remove) all protected health information (PHI) from electronically submitted comments before posting them to this website.

The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) establishes a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Privacy Rule standards address the use and disclosure of individuals' health information-called PHI.
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
PHI includes data that relates to:
  • the individual's past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual, and
  • information that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
Examples of PHI include diagnoses (for yourself, family members or friends), medications, Medicare or SSN numbers, names of doctors, dates of treatment, etc.