HIPAA Privacy Rule — What Information is Protected?

PHI or Protected Health Information is called Individually Identifiable Health Information under HIPAA Privacy Rule. It is defined as any kind of information that is saved, accessed or used by any covered entity or its business associates in any form, i.e. oral, electronic, media or the paper medium. Individually Identifiable Health Information also entails demographic data. This data includes:


• Any detail or reference to an individual’s physical and mental health-related information from the past, present or the future
• Any indication about stipulations related to accessing different healthcare facilities.
• Any kind of information that can be used to establish the identity of an individual, including pointers to standard identifiers such as name, address, date of birth and Social Security Number

Some Significant Exceptions — the Privacy Rule does not entertain the following information as a part of Protected Health Information:

• Data that has been furnished as a part of employment records maintained with a covered entity, i.e. when the covered entity is also the employer
• Information that is a part of education-related records or is a part of certain subjects that have been defined in the Family Educational Rights and Privacy Act, 20 USC

What is de-identifiable information? It is important to understand that apart from these exceptions, the Privacy Rule categorizes some information as De-identified Health Information. Any information that is covered under this category can be used and disclosed without any apprehensions in terms of compromising the privacy of an individual’s personal/medical details. The term ‘de-identifiable’ is used in this nomenclature because such information is incapable or identifying or indicating towards anything substantial, that could indicate towards the identity of an individual.

How can information be de-identified? The Privacy Rule has established some clear definitions as to how any individual-related information can be de-identified.
The two ways of de-identifying information include:

1. Formal determination of de-identification that is made by a qualified statistician
2. Removal of specified bits of information (called identifiers) related to either the individual, his relatives, household members or employers.

The second method is applicable only if the covered entity actually has no knowledge that the remainder of the information, i.e. after the removal of identifiers, can still be used to establish the identify of the concerned individual. The Privacy Rule permits a covered entity to de-identify an individual’s data by removing the following 18 identifiers or Protected Information Elements:

• Names
• Geographic subdivisions that are smaller than a State
• Any element of a date
• Electronic mail address
• Telephone details
• Internet Protocol address
• Facsimile address
• Social Security Number (SSN)
• Vehicle identifiers like license plate numbers
• Device identifiers like serial numbers
• Web Universal Resource Locators (URLs)
• Medical record number(s)
• Health plan beneficiary number(s)
• Personal account numbers (PAN)
• Certificate or License numbers
• Biometric identifiers like fingerprints and voiceprints
• Full-face photographed images and such suggestive (or comparable) images
• Other identifying elements like unique individual codes