Division of Research

Protected Health Information

Glossary

 

Under the Health Insurance Portability and Accountability Act (HIPAA), protected health information (PHI) is considered to be individually identifiable information relating to the past, present or future health status of an individual that is created, collected or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for health care services, or use in health care operations (PHI health care business uses).

Information is only considered PHI when an individual could be identified from the information.

PHI includes one or more of the following 18 identifiers (If these identifiers are removed the information is considered de-identified protected health information, which is not subject to the restrictions of the HIPAA Privacy Rule.):

  • Names
  • All geographic subdivisions smaller than a state, including street address, city or county, precinct, ZIP code and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
    • the geographic unit formed by combining all ZIP codes with the same three initial digits,
    • the area contains more than 20,000 people, and
      the initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
  • All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web universal resource locators (URLs)
  • Internet Protocol (IP) addresses
  • Biometric identifiers, including finger and voice prints
  • Full-face photographs and any comparable images
  • Any other unique identifying number, characteristic or code, including any code that includes or is derived from any of the identifiers on this list