skip to main content columnskip to left navigation

HIPAA Compliance Office

The Office of University Counsel

PHI and HIPAA Identifiers

When developing research protocols, the Investigator must take into consideration allowable use and disclosure of protected health information (PHI) under HIPAA.

PHI: individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. Individually identifiable health information is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

If the health information you access, collect or create includes the below identifiers in relation to a participant or the participant’s relatives, employers, or household members, it may be considered identifiable and subject to HIPAA:

  1. Names
  2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
    1. The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
    2. The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
  3. All elements of dates (except year) for dates that are directly related to a patient, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) addresses
  16. Biometric identifiers, including finger and voice prints
  17. Full-face photographs and any comparable images
  18. Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of 45 CFR 164.514 - Other requirements relating to uses and disclosures of protected health information.

When all 18 identifiers are removed and you have no actual knowledge the information could be used to identify the participant that is the subject of the information, the remaining information/data may be considered de-identified.

icon for left menu icon for right menu