Guidance

Protected Health Information (PHI)

IRBMED
Aug 10, 2020 2:45 pm

Protected Health Information (PHI) is individually identifiable health information held or maintained by covered entities, or by business associates acting for the covered entity. PHI is subject to HIPAA Privacy Rule protections. HIPAA Privacy Rule permits researchers to access and use PHI when necessary to conduct research, with certain restrictions.

  • INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION

    Individually identifiable health information is information (including demographic information) that

    1. is related to

    • past, present, or future physical or mental health or condition of the individual, and/or
    • health care provided to the individual, and/or
    • past, present, or future payment for health care provided to the individual;

    and

    2. identifies an individual directly or indirectly, or there is a reasonable basis to believe that the information could be used to identify the individual.

    ref.  OCR guidance De-Identification Methods, 1.1

  • HIPAA IDENTIFIERS

    Health information is considered to be individually identifiable health information if any of the following identifiers are included:

    1. Name
    2. Geographic subdivisions smaller than a state. 
    3. All elements of dates (except year) for dates that are directly related to an individual, and all ages over 89 and all elements of dates (including year) indicative of such age
    4. Telephone numbers
    5. Fax numbers
    6. Email addresses
    7. Social security numbers
    8. Medical record numbers
    9. Health plan numbers
    10. Account numbers
    11. Certificate or license numbers
    12. Vehicle identification/serial numbers, including license plate numbers
    13. Device identification/serial numbers
    14. Universal Resource Locators (URLs)
    15. Internet protocol (IP) addresses
    16. Biometric identifiers, including finger and voice prints
    17. Full face photographs and comparable images
    18. Any unique identifying number, characteristic, or code

    Note on #2: A dataset held by a covered entity is considered to include Protected Health Information (PHI) if it includes ZIP codes, counties, census tracts, and other equivalents.

    Note on #3: A dataset held by a covered entity is considered to include PHI if it includes the day, month, or any other information that is more specific than the year of an event.  For instance, "January 1, 2009" and "January 2009" are both considered to contain PHI. Not only birth or death dates, but also dates of service (appointment, biopsy, surgery, etc.) are considered dates “directly related to the individual.”

    Note on #18 – According to OCR Guidance on Satisfying the Safe Harbor Method, examples include

    • identifying number - study-specific subject identification numbers,
    • identifying code - barcodes designed to be unique for each patient for tracking purposes
    • identifying characteristic - anything that distinguishes an individual and allows for identification; this may also be called an “indirect identifier.”

    Conversely, health information is considered to be HIPAA de-identified if both

    • All 18 identifiers listed above are removed
    • The covered entity or its workforce, e.g., the principal investigator, has no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual who is the subject of the information

    PHI does not cover employment records that a covered entity maintains in its capacity as an employer.  PHI may also not include education and certain other records subject to the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g. For more information about University responsibilities under FERPA, see University Registrar FERPA website.

     

  • REFERENCES

    OCR guidance De-Identification Methods

    Michigan Medicine Policies (requires level-2 login)

Questions?

Contact us at irbmed@umich.edu or 734-763-4768 / (Fax 734-763-1234)

2800 Plymouth Road, Building 520, Room 3214, Ann Arbor, MI 48109-2800

A list of IRBMED staff is available in the Personnel Directory, or view the list of Regulatory Teams.

Edited By: larkspur@umich.edu
Last Updated: May 22, 2023 1:45 PM