PROTECTED HEALTH INFORMATION (PHI)

Definition

Protected Health Information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.

HIPAA regulations allow researchers to access and use PHI when necessary to conduct research. However, HIPAA only affects research that uses, creates, or discloses PHI that will be entered in to the medical record or will be used for healthcare services, such as treatment, payment or operations.

For example, PHI is used in research studies when researchers will access existing medical records for research information.  Also, studies that create new medical information because a health care service is being performed as part of research, such as diagnosing a health condition or using new drug or device for treating a health condition, create PHI that will be entered into the medical record.

Individually Identifiable Health Information

Individually identifiable health information is information (including demographic information) that is related to:

At least one of the following three:

  • The past, present, or future physical or mental health or condition of the individual.
  • The health care provided to the individual.
  • The past, present, or future payment for health care provided to the individual,

AND

  • Either identifies the individual or there is a reasonable basis to believe that the information could be used to identify the individual.

Identifiers

Individually identifiable health information includes the following identifiers:

  • Name
  • Geographic subdivisions smaller than a state. 
  • Dates directly related to the individual except year
  • All ages over 89 and/or dates indicating an age over 89
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social security numbers
  • Medical record numbers
  • Health plan numbers
  • Account numbers
  • Certificate or license numbers
  • Vehicle identification/serial numbers, including license plate numbers
  • Device identification/serial numbers
  • Universal Resource Locators (URLs)
  • Internet protocol (IP) addresses
  • Biometric identifiers, including finger and voice prints
  • Full face photographs and comparable images
  • Any unique identifying number, code, or other similar information.

Note: Zip codes or equivalents must be removed; the first 3 digits of the geographic area to which the zip code applies may be retained if the zip code area contains more than 20,000 people.

Note: PHI does not cover employment records that a covered entity maintains in its capacity as an employer.  PHI may also not include education and certain other records subject to the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

Re-Identification

Additional standards exist to protect an individual's privacy from re-identification.  Any code used to replace the identifiers in datasets cannot be derived from information related to the individual.  For example, a subject's initials cannot be used to code their data because the initials are derived from their name.  Also, the method used to derive the codes may not be disclosed.

Additionally, the researcher must not have actual knowledge that the research subject could be re-identified from the remaining identifiers.  In other words, the information would still be considered identifiable is there was a way to identify the individual even though all of the 19 identifiers were removed.

 

 

 

 

Update Approved by IRBMED Chairs and Director: October 14, 2011
Website Updated: October 17, 2011