What is Protected Health Information (PHI)?
Information that includes demographic information that is collected from an individual and:
- Is created or received by a health care provider, health plan, employer, or health care clearing house; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
- That identifies the individual; or
- With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
PHI Data Elements
- All geographic subdivisions smaller than a state
- All elements of date, except year
- Telephone number
- Fax number
- Social Security Number (SSN)
- Health Record Number (HRN)
- Health Plan Beneficiary Number
- Biometric identifiers, including finger and voice prints
- Account numbers
- Email addresses
- Certificate/license numbers
- Vehicle identifiers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Full face photographic images and comparable images
- Any other unique number, characteristic, or code
Limited Data Set
A Limited Data Set (LDS) is an exception to the HIPAA Privacy Rule requirement for a subject’s authorization to use protected health information for research. An LDS lacks 16 of the 18 identifiers itemized by the Privacy Rule. Because limited data sets may contain identifiable information, they are still PHI. It may retain the following identifiers:
- Five-digit zip codes, Geo-codes
- Town or city or county
- Dates of birth
- Current age of 90 or above
- Dates of death
- Dates of admission/discharge/service
If your data qualifies as a Limited Data Set (LDS) and you are sharing it outside of KPNW, you will need to have a Data Use Agreement (DUA) and Data Transfer Agreement (DTR) in place prior to sending any data. Please see the Sharing Data page on the Research Compliance Website for more information.
Health information is considered de-identified when it does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. For small cells or individual-level data, then to be considered de-identified, the data must not have ANY of the 18 identifiers itemized by the Privacy Rule listed below under "PHI", and it may not contain any other information which might allow re-identification.
Aggregate data tables are usually considered to be de-identified data under HIPAA. For the aggregate data to be shareable, however, the cell size must meet certain conditions. See the aggregate flow chart for guidelines (and the Biostat Core’s “Rules on Sharing Aggregate Data” for more specific details). Aggregate data is also data collected from individual-level records that have been combined for statistical or analytical purposes and that are maintained in a form that does not permit the identification or re-identification of individuals.