HIPAA and PHI

The Health Insurance Portability Accountability Act (HIPAA) Privacy Rule was issued to protect a person's health information and addresses the use and disclosure of such information. The rule attempts to find a compromise between protecting an individual's privacy while allowing for the use of their health information to support the betterment of health care more generally through such things as medical research.

The HIPAA Privacy Rule protects the confidentiality of a person's PHI (Protected Health Information, or individually identifiable health information) obtained from or through covered entities (health care providers such as hospitals, insurance companies, clinics, mental health providers, etc.) by giving the person the right to limit who may have access to it.

PHI includes any information related to an individual's past, present, or future 1) physical or mental health, 2) health care, or 3) payment for health care in such a way as to reasonably expect possible identification of the individual.

This does not prohibit investigators who have not received a subject's permission from using the subject's health information in their research; it simply puts limits on what and how information may be used.

PHI includes many common identifiers when they can be associated with the health information listed above:

  1. Names (individual, employer, relatives, etc.)

  2. Address (street, city, county, precinct, zip code -- initial 3 digits if geographic unit contains >20,000 people, or any other geographical codes)

  3. Telephone Numbers

  4. Fax Numbers

  5. Social Security Numbers

  6. Medical Record Numbers

  7. Dates (except for years) connected to subjects, including date(s) of birth, admission, discharge, death, ages >89, and all elements of dates indicative of such age (except that such age and elements may be aggregated as "Age <90")

  8. E-mail Addresses

  9. Health Plan Beneficiary Numbers

  10. Account Numbers

  11. Certificate/License Numbers

  12. Vehicle Identifiers and Serial Numbers (e.g., VINs, License Plate #, etc.)

  13. Device Identifiers and Serial Numbers

  14. Universal Resource Locators (URLs)

  15. Internet Protocol (IP) Addresses Numbers

  16. Biometric Identifiers (e.g., finger or voice prints)

  17. Full Face Photographic Images (and any comparable images)

  18. Any other unique identifying numbers, characteristics, or codes

Any health information by itself, without the 18 identifiers is not considered to be PHI (nor are the identifiers by themselves, without being linked to health information); and, if the health information can be de-identified, or the link between the health information and the 18 identifiers is broken, it is no longer considered to be PHI.

The investigator may also enter into a Data Use Agreement (DUA) with the covered entity, which allows the investigator to use a limited data set that excludes specified direct identifiers.

Finally, the investigator may, under certain conditions, request a waiver/alteration of authorization from the IRB, which could allow the investigator to use PHI. The following criteria must be met before such a waiver can be granted:

  1. The use or disclosure of the PHI involves no more than minimal risk to the privacy of individuals based on, at least, the presence of the following elements:
    • An adequate plan to protect health information identifiers from improper use and disclosure
    • An adequate plan to destroy identifiers at the earliest opportunity consistent with the conduct of the research (absent a health or research justification for retaining them or a legal requirement to do so)
    • Adequate written assurances that the PHI will not be reused or disclosed to (shared with) any other person or entity, except as required by law, for authorized oversight of the research, or for other research for which the use or disclosure of the PHI would be permitted under the Privacy Rule
  2. The research could not practicably be conducted without the waiver or alteration
  3. The research could not practicably be conducted without access to and use of the PHI

Investigators who wish to do research involving PHI must include a completed Statement on HIPAA Protected Health Information Use form in their IRB application. 

Investigators who wish to request a waiver/alteration of authorization from the IRB must include a completed Application for Waiver or Modification of Authorization for Use or Disclosure of PHI form in their IRB application. 

For  more information regarding research and HIPAA, see:

HHS's HIPAA Special Topics: Research

NIH's Health Services Research and the HIPAA Privacy Rule