Guidance

Protected Health Information (PHI)

IRBMED
Apr 17, 2019 10:00 am

Protected Health Information (PHI) is individually identifiable health information held or maintained by covered entities, or by business associates acting for the covered entity. PHI is subject to HIPAA Privacy Rule protections. HIPAA Privacy Rule permits researchers to access and use PHI when necessary to conduct research, with certain restrictions.

  • Individually Identifiable Health Information

    Individually identifiable health information is information (including demographic information) that

    1. is related to

    • past, present, or future physical or mental health or condition of the individual, and/or
    • health care provided to the individual, and/or
    • past, present, or future payment for health care provided to the individual;

    and

    2. identifies an individual directly or indirectly, or there is a reasonable basis to believe that the information could be used to identify the individual.

    ref.  OCR guidance De-Identification Methods, 1.1

  • HIPAA identifiers

    Health information is considered to be individually identifiable health information if any of the following identifiers are included:

    1. Name
    2. Geographic subdivisions smaller than a state. 
    3. All elements of dates (except year) for dates that are directly related to an individual, and all ages over 89 and all elements of dates (including year) indicative of such age
    4. Telephone numbers
    5. Fax numbers
    6. Email addresses
    7. Social security numbers
    8. Medical record numbers
    9. Health plan numbers
    10. Account numbers
    11. Certificate or license numbers
    12. Vehicle identification/serial numbers, including license plate numbers
    13. Device identification/serial numbers
    14. Universal Resource Locators (URLs)
    15. Internet protocol (IP) addresses
    16. Biometric identifiers, including finger and voice prints
    17. Full face photographs and comparable images
    18. Any unique identifying number, code, or other similar information.

    Note on #2: A dataset held by a covered entity is considered to include Protected Health Information (PHI) if it includes ZIP codes, counties, census tracts, and other equivalents.

    Note on #3: A dataset held by a covered entity is considered to include PHI if it includes the day, month, or any other information that is more specific than the year of an event.  For instance, "January 1, 2009" and "January 2009" are both considered to contain PHI.

    NotePHI does not cover employment records that a covered entity maintains in its capacity as an employer.  PHI may also not include education and certain other records subject to the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g. For more information about University responsibilities under FERPA, see University Registrar FERPA website.

     

  • References

    UMHS Policies

    • 01-04-300 Introduction to Privacy and Security Concepts and Definitions
    • 01-04-360 Use of Protected Health Information (PHI) in Research
Questions?

Contact us at irbmed@umich.edu or 734-763-4768 / (Fax 734-763-1234)

2800 Plymouth Road, Building 520, Room 3214, Ann Arbor, MI 48109-2800

A list of IRBMED staff is available in the Personnel Directory, or view the list of Regulatory Teams.

Edited By: larkspur@umich.edu
Last Updated: April 17, 2019 10:00 AM