HIPAA – What Health Information is Considered Protected?
The U.S. Department of Health and Human Services (HHS) provides several web based tools to help providers understand and navigate HIPAA and its requirements. Below are summary excerpts from HHS that explain what information is considered protected under HIPAA:
Protected Health Information:
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate (see Learn More below), in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).” 45 C.F.R. § 160.103.
“Individually identifiable health information” is information, including demographic data, that relates to:
- The individual’s past, present or future physical or mental health or condition;
- The provision of health care to the individual; or,
- The past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. 45 C.F.R. § 160.10.
Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
What are the 18 identifiers?
There are various methods that can be utilized to remove certain key identifiers, in order to de-identify the information so that HIPAA no longer applies. There are subtleties and important caveats (for example, what ZIP codes contain less than 20,000 people) but a general overview provided by HHS are provided as follows:
- All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
- The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
- The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
- All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) addresses
- Biometric identifiers, including finger and voice prints
- Full-face photographs and any comparable images
- Any other unique identifying number, characteristic, or code
- There may be exceptions where use of certain identifiers may be permitted
- Caution should be exercised at all times – see HHS links below in ‘learn more’ for details
Learn More – Primary Sources:
HHS: Summary of the HIPAA Privacy Rule
HHS: Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule