Protected Health Information (PHI)

Individually identifiable health information is information (including demographic information) that

1. is related to

• past, present, or future physical or mental health or condition of the individual, and/or
• health care provided to the individual, and/or
• past, present, or future payment for health care provided to the individual;

and

2. identifies an individual directly or indirectly, or there is a reasonable basis to believe that the information could be used to identify the individual.

ref.  OCR guidance De-Identification Methods, 1.1

Health information is considered to be individually identifiable health information if any of the following identifiers are included:

1. Name
2. Geographic subdivisions smaller than a state. 
3. All elements of dates (except year) for dates that are directly related to an individual, and all ages over 89 and all elements of dates (including year) indicative of such age
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social security numbers
8. Medical record numbers
9. Health plan numbers
10. Account numbers
11. Certificate or license numbers
12. Vehicle identification/serial numbers, including license plate numbers
13. Device identification/serial numbers
14. Universal Resource Locators (URLs)
15. Internet protocol (IP) addresses
16. Biometric identifiers, including finger and voice prints
17. Full face photographs and comparable images
18. Any unique identifying number, characteristic, or code

Note on #2: A dataset held by a covered entity is considered to include Protected Health Information (PHI) if it includes ZIP codes, counties, census tracts, and other equivalents.

Note on #3: A dataset held by a covered entity is considered to include PHI if it includes the day, month, or any other information that is more specific than the year of an event.  For instance, "January 1, 2009" and "January 2009" are both considered to contain PHI. Not only birth or death dates, but also dates of service (appointment, biopsy, surgery, etc.) are considered dates “directly related to the individual.”

Note on #18 – According to OCR Guidance on Satisfying the Safe Harbor Method, examples include

• identifying number - study-specific subject identification numbers,
• identifying code - barcodes designed to be unique for each patient for tracking purposes
• identifying characteristic - anything that distinguishes an individual and allows for identification; this may also be called an “indirect identifier.”

Conversely, health information is considered to be HIPAA de-identified if both

• All 18 identifiers listed above are removed
• The covered entity or its workforce, e.g., the principal investigator, has no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual who is the subject of the information

PHI does not cover employment records that a covered entity maintains in its capacity as an employer.  PHI may also not include education and certain other records subject to the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g. For more information about University responsibilities under FERPA, see University Registrar FERPA website.

OCR guidance De-Identification Methods

Michigan Medicine Policies (requires level-2 login)

• 01-04-300 Privacy and Security Concepts and Definitions
• 01-04-360 Use of Protected Health Information (PHI) in Research