The HIPAA Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."12

“Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). 

Source: USDHHS (2013). Summary of the HIPAA Privacy Rule. Health Information Privacy. Retrieved from: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

De-Identifying of Protected Health Information

Section 164.514(a) of the HIPAA Privacy Rule provides the standard for de-identification of protected health information.  Under this standard, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual. Two methods can be used to achieve de-identification in accordance with the HIPAA Privacy Rule- Expert Determination and Safe Harbor. Under the “Safe Harbor Method” identifiers (list provided in the back) of the individual or of relatives, employers, or household members of the individual requires removal.

Source: USDHHS (2013). Summary of the HIPAA Privacy Rule. Health Information Privacy. Retrieved from: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

The following identifiers of the individual or of relatives, employers, or household members of the individual, are to be removed to comply with HIPAA regulations:

1.      Names

2.      All geographic subdivisions smaller than state including:
​         a)     Street Address
​         b)     City
​         c)     County
​         d)     Precinct
​         e)     Zip code and equivalent geo code

3.      All elements of dates (except year) directly related to an individual including:
​         a)     Birth date
​         b)     Admission date
​         c)     Discharge date
​         d)     Date of death
​         e)     All ages over 89 (including date elements indicative of such age [including year],
                 except when all ages of 90 or older can be aggregated into a single category)

4.      Telephone numbers

5.      Fax numbers

6.      E-mail addresses

7.      Social security numbers

8.      Medical record numbers

9.      Health plan beneficiary numbers

10.    Account numbers

11.    Certificate/license numbers

12.    Vehicle identifiers and serial numbers (including license plate numbers)

13.    Device identifiers and serial numbers

14.    Web Universal Resource Locators (URLs)

15.    Internet Protocol (IP) address numbers

16.    Biometric identifiers, including finger/voice prints

17.    Full face photographic images and any comparable images

18.    Any other unique identifying number, characteristic or code
 

Sources:

United States Department of Health and Human Services (2013). Summary of the HIPAA Privacy Rule. Health Information Privacy. Retrieved from: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html#rationale, PP-19

Protected Health Information, Limited Data Set, and De-Identification of Protected Health Information. (2013). Retrieved August 1, 2013 from http://depts.washington.edu/comply/docs/PP_19.pdf