General FAQs

Protected Health Information (PHI) is any information that is:

  • Created or received by a health care provider, health plan, or health care clearing house, AND
  • Related to the past, present, or future physical or mental health or condition of an individual, including the provision of health care to an individual or the payment for the provision of health care to an individual, AND
  • Is accompanied by any of the 18 identifiers defined by HIPAA

PHI includes demographic and genetic information and is not limited to the individual’s official medical or billing record, but can include any type of written, electronic, or oral information that combines health information with an identifier (e.g., phone message, lab results).

HIPAA designates the following 18 elements as identifiers. Health information that is accompanied by any of these elements is considered identifiable for HIPAA purposes.

In order to be considered de-identified, all of the following identifiers of the individual or of relatives, employers, or household members of the individual must be removed:

  1. Names, including initials;
  2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
    • The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
    • The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people are changed to 000.
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  4. Telephone numbers;
  5. Fax numbers;
  6. Electronic mail addresses;
  7. Social Security numbers;
  8. Medical record numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers/serial numbers;
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers;
  16. Biometric identifiers, including finger and voice prints;
  17. Full face photographic images and any comparable images; and
  18. Any other unique identifying number, characteristic, or code.

Codes or information derived from any of these elements are also considered identifiers (e.g., initials, the last four digits of the Social Security number, etc.).

UofL has designated itself as a Hybrid Entity which separates business functions into “covered” and “non-covered” components. This designation means the parts of UofL that are “non-covered” components are not typically subject to the HIPAA regulations.

The parts of UofL that could be considered a health care provider, health plan, or health care clearinghouse and the departments or units that support such functions are assigned to the “covered component” which includes:

  • Schools of Medicine, Dentistry, and Nursing, and affiliated institutes and centers (including Campus Health Services)
  • Human Resources Benefits (the health plan)
  • Audit Services
  • Information Technology
  • Environmental Health and Safety
  • University Archives and Records (the portion holding medical records)