HIPAA does not limit the types of data that providers may seek or obtain about individual patients for treatment purposes. Treatment includes “the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.” 45 CFR 164.501. Other standards, such as professional ethics rules or state law, may address the scope of health care providers’ independent investigations and data collection pertaining to patients. Once a HIPAA covered provider obtains criminal justice data about an individual for treatment purposes, or otherwise combines the data with its PHI, the data held by the HIPAA covered entity is considered protected health information (PHI) and the HIPAA Rules would apply to protect the data.