Frequently Asked Questions

Protected Health Information (PHI) is any information that is:

• Created or received by a health care provider, health plan, or health care clearing house, AND
• Related to the past, present, or future physical or mental health or condition of an individual, including the provision of health care to an individual or the payment for the provision of health care to an individual, AND
• Is accompanied by any of the 18 identifiers defined by HIPAA

PHI includes demographic and genetic information and is not limited to the individual’s official medical or billing record, but can include any type of written, electronic, or oral information that combines health information with an identifier (e.g., phone message, lab results).

HIPAA designates the following 18 elements as identifiers. Health information that is accompanied by any of these elements is considered identifiable for HIPAA purposes.

In order to be considered de-identified, all of the following identifiers of the individual or of relatives, employers, or household members of the individual must be removed:

1. Names, including initials;
2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
   • The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
   • The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people are changed to 000.
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
4. Telephone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social Security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers/serial numbers;
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images; and
18. Any other unique identifying number, characteristic, or code.

Codes or information derived from any of these elements are also considered identifiers (e.g., initials, the last four digits of the Social Security number, etc.).

UofL has designated itself as a hybrid covered entity which separates areas of the campus and business functions into “covered” and “non-covered” components. This designation means the parts of UofL that are “non-covered” components are not typically subject to the HIPAA regulations.

The parts of the University that could be considered a health care provider, health plan, or health care clearinghouse and the departments or units that support such functions are assigned to the health care component of the University's hybrid covered entity. 

HIPAA provides multiple exceptions (or permissions) for obtaining PHI for research purposes, and the documentation requirements for each exception may vary. The most common HIPAA documents used for research are the Research Authorization, Partial Waiver, and Complete Waiver.

Determining which particular exception (and its corresponding documentation) is appropriate depends upon:

• the source of the PHI
• the purpose for viewing and/or collecting the data, and
• whether or not the researcher will have contact with the subject of the information.

The UofL Privacy Office HIPAA Policy Manual, PO-10.8 Research, (log-in required) provides further information on obtaining information for research.

A de-identified data set is health information from which all of the 18 HIPAA identifiers have been removed. If a data set has been classified as “de-identified” the HIPAA regulations no longer control its use or disclosure.

A limited data set (LDS) is PHI from which most, but not all, of the 18 HIPAA identifiers have been removed. It is similar to a de-identified data set but includes additional identifying elements such as dates or zip codes. Unlike a de-identified data set, a limited data set is still considered PHI under HIPAA and must be protected.

HIPAA allows covered entities to create, use, or disclose a LDS for certain limited purposes, including research, but a Data Use Agreement is required to be signed by the LDS recipient. By signing this agreement, the recipient attests that the data will be protected and only used for its intended purpose.

To qualify as a limited data set, the following identifiers of the individual or of relatives, employers, or household members of the individual must be removed:

1. Names, including initials;
2. Postal address information, other than town or city, State and zip code;
3. Telephone numbers;
4. Fax numbers;
5. Electronic mail addresses;
6. Social Security numbers;
7. Medical record numbers;
8. Health plan beneficiary numbers;
9. Account numbers;
10. Certificate/license numbers;
11. Vehicle identifiers and serial numbers, including license plate numbers;
12. Device identifiers/serial numbers;
13. Web Universal Resource Locators (URLs)
14. Internet Protocol (IP) address numbers;
15. Biometric identifiers, including finger and voice prints;
16. Full face photographic images and any comparable images; and

An LDS provides a researcher more information than a de-identified data set; however, it is more limiting than information obtained through a research authorization. Under HIPAA’s LDS exception, a researcher cannot:

• attempt to identify the individuals (who are the subjects of the information), or
• contact the individuals for further information, or
• obtain or use information about the individuals beyond what is included in the LDS.

The UofL Privacy Office HIPAA Policy Manual, PO-10.8 Research, (log-in required), provides further information on limited data sets and Data Use Agreements.

Under HIPAA, limited information may be shared with law enforcement in certain circumstances. The more common examples seen at UofL include:

When Required by Law, such as a law that requires reporting of certain types of wounds (e.g., gunshot wounds) or in response to a court order or subpoena.

For Identification and Location Purposes, for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person. The covered entity may disclose only the following information:

1. Name and address;
2. Date and place of birth;
3. Social Security numbers;
4. ABO blood type and rh factor
5. Type of injury
6. Date and time of treatment;
7. Date and time of death, if applicable; and ;
8. A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or mustache), scars, and tattoos.

For the purposes of identification or location, the covered entity may not disclose any PHI related to the individual's DNA or DNA analysis, dental records, or typing, samples, or analysis of body fluids or tissue.

There are other less frequent circumstances where disclosures to law enforcement are permitted. The UofL Privacy Office HIPAA Policy Manual, PO-10.7 Uses & Disclosures of Protected Health Information - Uses and Disclosures Without Authorization, (log-in required) provides additional information about this topic.

Court Order - A covered entity may disclose only the PHI expressly authorized by a court order.

Subpoena, Discovery Request, or Other Lawful Process -  A covered entity may disclose PHI In response to a subpoena, discovery request, or other lawful process if it receives satisfactory assurance in writing from the party seeking the information that the party has made a good faith attempt to provide written notice to the individual and that the notice:

1. Included sufficient information about the litigation or proceeding to permit the individual to raise an objection to the court, and
2. The time for the individual to raise objections to the court has elapsed, and either no objections were filed or the objections have been resolved by the court. 

The UofL Privacy Office HIPAA Policy Manual, PO-10.7 Uses & Disclosures of Protected Health Information - Uses and Disclosures Without Authorization, (log-in required) provides additional information about this topic.

For the purpose of fundraising, a covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following PHI without an authorization:

1. Demographic information, which includes name, address or other contact information, age, gender, insurance status,
2. Date of Birth, and
3. Dates of health care provided to an individual.

Any fundraising materials sent to an individual should include a clear and conspicuous description of how the individual may opt out of future fundraising communications. Covered entities must honor any opt outs received. The UofL Privacy Office HIPAA Policy Manual, PO-23 Fundraising, (log-in required) provides additional information about this topic. 

HIPAA regulates the PHI of decedents for 50 years after the date of death.  However, HIPAA permits the disclosure of decedent information in certain circumstances and with certain limitations.

Examples include:

• Coroners and Medical Examiners - A covered entity may disclose PHI to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law.
• Uses and Disclosures for Cadaveric Organ, Eye or Tissue Donation Purposes - A covered entity may use or disclose PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation.

The UofL Privacy Office HIPAA Policy Manual, PO-10.7 Uses & Disclosures of Protected Health Information - Uses and Disclosures Without Authorization, (log-in required) provides additional information about this topic. 

HIPAA permits the disclosure of PHI to Adult or Child Protective Services in some circumstances.

For Children - A covered entity may disclose PHI to a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect. This exception is one of the “Public Health Activities” provided by HIPAA.

For Adults - If a covered entity reasonably believes that an individual is a victim of abuse, neglect, or domestic violence, it may disclose PHI of the individual to a public health authority or other government authority authorized by law to receive reports of abuse, neglect, or domestic violence in accordance with the following:

1. To the extent the disclosure is required by law and is limited to the relevant requirements of the law;
2. If the individual agrees to the disclosure; or
3. To the extent the disclosure is expressly authorized by statute or regulation and:

• The covered entity believes the disclosure is necessary to prevent serious harm to the individual or other potential victims; or
• If the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the PHI is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.

If such a disclosure is made for adult abuse, neglect, or domestic violence scenarios, the covered entity has additional obligations for informing the individual of the reported disclosure. Please see The UofL Privacy Office HIPAA Policy Manual, PO-10.7 Uses & Disclosures of Protected Health Information - Uses and Disclosures Without Authorization, (log-in required) for additional information on the adult abuse, neglect, and domestic violence reporting requirements.

Generally, an individual’s right to control PHI depends upon that same individual’s right to control the health care decision. HIPAA defers to state law for matters regarding parents and minors, but does provide two exceptions which may be used to address this question:

Disclosures to Family, Friends, and Others Involved in the Care of an Individual - HIPAA permits the disclosure to a person(s) involved in the current health care of an individual (e.g., family, friends, and others) PHI that is directly related to the person’s involvement in the current health of the individual or the payment related to that health care. This provision is not only for parents and minors but may also be applied to adult patients and their caregivers.

This provision, for example, allows a physician or staff to share details that might be important to the current care of the individual, such as a diagnosis or prognosis, or specific instructions for monitoring health or symptoms of the individual.

Personal Representative - This exception provides a broader scope of access and rights to information than the provision for family, friends, and others. It allows for access to the individual’s record, including the receipt of a complete copy of the record.

This provision says if, under applicable (state) law, a parent, guardian or other person acting in loco parentis has the authority to act on behalf of an unemancipated minor (child) in making decision related to health care, a covered entity must treat such person as the personal representative of the individual. This generally means PHI can be disclosed to the personal representative in the same way as if the individual (e.g., child) were making the request for access to PHI.

It’s important to note that the discretion to deny or provide access to a parent under HIPAA may only be exercised by a licensed health care professional who is exercising his/her professional judgment.

The UofL Privacy Office HIPAA Policy Manual, PO-10 Uses & Disclosures of Protected Health Information, (log-in required) provides additional information on disclosures to family, friends, and others involved in the care of individuals.