Health information is considered to be individually identifiable health information if any of the following identifiers are included:
- Geographic subdivisions smaller than a state.
- All elements of dates (except year) for dates that are directly related to an individual, and all ages over 89 and all elements of dates (including year) indicative of such age
- Telephone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health plan numbers
- Account numbers
- Certificate or license numbers
- Vehicle identification/serial numbers, including license plate numbers
- Device identification/serial numbers
- Universal Resource Locators (URLs)
- Internet protocol (IP) addresses
- Biometric identifiers, including finger and voice prints
- Full face photographs and comparable images
- Any unique identifying number, code, or other similar information.
Note on #2: A dataset held by a covered entity is considered to include Protected Health Information (PHI) if it includes ZIP codes, counties, census tracts, and other equivalents.
Note on #3: A dataset held by a covered entity is considered to include PHI if it includes the day, month, or any other information that is more specific than the year of an event. For instance, "January 1, 2009" and "January 2009" are both considered to contain PHI.
Note: PHI does not cover employment records that a covered entity maintains in its capacity as an employer. PHI may also not include education and certain other records subject to the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g. For more information about University responsibilities under FERPA, see University Registrar FERPA website.