Health information is considered to be individually identifiable health information if any of the following identifiers are included:
- Name
- Geographic subdivisions smaller than a state.
- All elements of dates (except year) for dates that are directly related to an individual, and all ages over 89 and all elements of dates (including year) indicative of such age
- Telephone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health plan numbers
- Account numbers
- Certificate or license numbers
- Vehicle identification/serial numbers, including license plate numbers
- Device identification/serial numbers
- Universal Resource Locators (URLs)
- Internet protocol (IP) addresses
- Biometric identifiers, including finger and voice prints
- Full face photographs and comparable images
- Any unique identifying number, characteristic, or code
Note on #2: A dataset held by a covered entity is considered to include Protected Health Information (PHI) if it includes ZIP codes, counties, census tracts, and other equivalents.
Note on #3: A dataset held by a covered entity is considered to include PHI if it includes the day, month, or any other information that is more specific than the year of an event. For instance, "January 1, 2009" and "January 2009" are both considered to contain PHI. Not only birth or death dates, but also dates of service (appointment, biopsy, surgery, etc.) are considered dates “directly related to the individual.”
Note on #18 – According to OCR Guidance on Satisfying the Safe Harbor Method, examples include
- identifying number - study-specific subject identification numbers,
- identifying code - barcodes designed to be unique for each patient for tracking purposes
- identifying characteristic - anything that distinguishes an individual and allows for identification; this may also be called an “indirect identifier.”
Conversely, health information is considered to be HIPAA de-identified if both
- All 18 identifiers listed above are removed
- The covered entity or its workforce, e.g., the principal investigator, has no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual who is the subject of the information
PHI does not cover employment records that a covered entity maintains in its capacity as an employer. PHI may also not include education and certain other records subject to the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g. For more information about University responsibilities under FERPA, see University Registrar FERPA website.