Protected Health Information
When Does Health Information Become “Protected Health Information?”
Determining whether your research involves protected health information is the next step in identifying whether HIPAA applies to your research. The following definitions clarify the difference between health information in general and protected health information:
Health information is any information, including genetic, whether oral or recorded in any form or medium, that 1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and 2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Protected health information (PHI) is a subset of health information that originates from a HIPAA covered entity. PHI includes personal health information—including demographic information collected from an individual—that identifies the individual or could reasonably be believed to be usable to identify the individual.
UTC is not a HIPAA covered entity, so health information collected directly by UTC faculty, staff, and student researchers without the involvement of a HIPAA covered entity is not considered PHI, and the Privacy Rule and Security Rule do not apply. Informed consent and appropriate safeguards to protect the confidentiality of health information may still be required, but not the stricter protections that are associated with PHI.
Under HIPAA, 18 types of information qualify as PHI:
- Names (Full or last name and initial)
- Geographical identifiers smaller than a state*
- Dates (other than year) directly related to an individual—includes birthdates, admission/treatment dates, discharge dates, date of death
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers (including serial numbers and license plate numbers)
- Device identifiers and serial numbers
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the covered entity to enable them, but not the researcher, to re-identify individuals
*In limited cases, the first three digits of a patient’s ZIP code may not qualify as PHI—see the regulatory guidance for details
HIPAA covered entities may not release, transfer, provide access to, or divulge PHI in any manner without following the Privacy Rule and Security Rule.