Protected Health Information (PHI) is any information that is:
- Created or received by a health care provider, health plan, or health care clearing house, AND
- Related to the past, present, or future physical or mental health or condition of an individual, including the provision of health care to an individual or the payment for the provision of health care to an individual, AND
- Is accompanied by any of the 18 identifiers defined by HIPAA
PHI includes demographic and genetic information and is not limited to the individual’s official medical or billing record, but can include any type of written, electronic, or oral information that combines health information with an identifier (e.g., phone message, lab results).
HIPAA designates the following 18 elements as identifiers. Health information that is accompanied by any of these elements is considered identifiable for HIPAA purposes.
In order to be considered de-identified, all of the following identifiers of the individual or of relatives, employers, or household members of the individual must be removed:
- Names, including initials;
- All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
- The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
- The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people are changed to 000.
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social Security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers/serial numbers;
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints;
- Full face photographic images and any comparable images; and
- Any other unique identifying number, characteristic, or code.
Codes or information derived from any of these elements are also considered identifiers (e.g., initials, the last four digits of the Social Security number, etc.).
UofL has designated itself as a hybrid covered entity which separates areas of the campus and business functions into “covered” and “non-covered” components. This designation means the parts of UofL that are “non-covered” components are not typically subject to the HIPAA regulations.
The parts of the University that could be considered a health care provider, health plan, or health care clearinghouse and the departments or units that support such functions are assigned to the health care component of the University's hybrid covered entity.