One of the core parts of the Health Insurance Portability and Accountability Act of 1996 is to protect patient privacy. Yet not all data is protected by HIPAA. The Act defines a subset of information – protected health information, or PHI – that it applies to. One of the key features of PHI is that it is “individually identifiable”, but what does that mean? What is individually identifiable health information? We will discuss the answer here.
HIPAA only applies to health information, which includes any details of past, present, or future medical conditions and treatment plans or information relating to the payment of those conditions.
Importantly, it is only covered by HIPAA if it has been created or received by a HIPAA Covered Entity or Business Associate. Broadly, Covered Entities are defined as healthcare clearinghouses, health plans, or healthcare providers. This means that health information that may be received by your employer, for example, is usually not covered by HIPAA.
But what does it mean for this data to be individually identifiable? If the information contains sufficient data that it could be traced back to a single person (i.e., could be used to identify that person), then it is considered to be individually identifiable. This information includes a range of demographic and economic factors, such as names, addresses, or bank account details.
HIPAA defines 18 “identifiers”, and the presence of any of them in health information renders that information PHI:
- Full name or last name and initial(s)
- Geographical identifiers smaller than a state, except the initial three digits of a zip code, provided the combination of all zip codes starting with those three digits. When the initial three digits of a zip code contains 20,000 or fewer people it is changed to 000
- Dates directly related to an individual, other than year
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- IP addresses
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
Individually identifiable information is very sensitive in nature. Many health conditions have a considerable stigma attached, and though it is illegal, employees may face discrimination if an employer discovers that they are sick. Other details, such as Social Security Numbers, can be used for identity theft or insurance fraud.
It is possible to “de-identify” PHI by removing these identifiers. This anonymizes the health data, meaning it is no longer subject to the strict rules of HIPAA.