One of the ways by which the Health Insurance Portability and Accountability Act of 1996 sets out to protect the privacy of patients by defining a set of “HIPAA identifiers”. These identifiers help to delineate what is and is not protected health information (PHI). If data is considered to be PHI, the covered entity (CE) handling the data must ensure that it is safeguarded in a HIPAA-compliant manner.
There are two main rules that govern how the PHI should be protected. The HIPAA Privacy Rule limits how the PHI is used and to whom it can be disclosed, whilst the HIPAA Security Rule lays out the protections that need to be in place to ensure that the integrity and confidentiality of the PHI is maintained, whilst still making it accessible to patients. Breaching these rules can incur hefty financial – or even criminal – penalties. It is therefore important to be able to spot any HIPAA identifiers that will mean data is in fact PHI.
HIPAA identifiers are essentially any piece of data that can be individually-identifiable (i.e linked back to a particular individual). Some of these data are obvious – names, addresses – but they also include information such as device serial numbers or IP addresses. There are 18 HIPAA identifiers in total:
- Names (Full or last name and initial)
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- Dates (other than year) directly related to an individual
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers (including serial numbers and license plate numbers)
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
These are necessary, but not sufficient, to classify health information as PHI. The information must also be used in a HIPAA-covered transaction by either the CE or a business associate (BA).
The Department of Health and Human Services does not distinguish between how “generic” some of these pieces of information are. It would be impractical for them to distinguish between common and uncommon surnames (for example, distinguishing between Ms R Jones and Ms R Hinton), or based on small or large cities (e.g. Mr Smith in Chicago vs Mr Smith in Geneva, NY). Even seemingly anonymous email addresses (e.g. [email protected]) can be traced back to their owner with relative ease. Having a blanket coverage of all categories of information that are considered PHI can help ensure HIPAA compliance.