Human Research Protection Program

HIPAA and Protected Health Information

The Health Insurance Portability Accountability Act (HIPAA) Privacy Rule was issued to protect a person's individually identifiable health information and addresses the use and disclosure of such information.

The rule attempts to find a compromise between protecting an individual's privacy while allowing for the use of their individually identifiable health information to support the betterment of health care more generally through such things as medical research.

The HIPAA Privacy Rule protects the confidentiality of a person's protected health information (or individually identifiable health information) obtained from or through covered entities (health care providers such as hospitals, insurance companies, clinics, mental health providers, etc.) by giving the person the right to limit who may have access to it, and written authorization to use the person's protected health information must be obtained from that person. 

Protected health information includes any information related to an individual's past, present or future physical or mental health; health care; or payment for health care in such a way as to reasonably expect possible identification of the individual.

Protected health information includes many common identifiers when they can be associated with the health information listed above:

  1. Names (individual, employer, relatives, etc.).

  2. Address (street; city; county; precinct; ZIP code — initial three digits if geographic unit contains more than 20,000 people; or any other geographical codes).

  3. Telephone numbers.

  4. Fax numbers.

  5. Social Security numbers.

  6. Medical record numbers.

  7. Dates (except for years) connected to subjects, including date(s) of birth, admission, discharge, death, ages greater than 89 and all elements of dates indicative of such age (except that such age and elements may be aggregated as "Age ≥90").

  8. Email addresses.

  9. Health plan beneficiary numbers.

  10. Account numbers.

  11. Certificate/license numbers.

  12. Vehicle identifiers and serial numbers (e.g., VINs, license plate numbers, etc.).

  13. Device identifiers and serial numbers.

  14. Universal resource locators (URLs).

  15. Internet protocol (IP) addresses numbers.

  16. Biometric identifiers (e.g., finger or voice prints).

  17. Full-face photographic images (and any comparable images).

  18. Any other unique identifying numbers, characteristics or codes.

Any health information by itself, without the 18 identifiers, is not considered to be protected health information (nor are the identifiers by themselves, without being linked to health information); and, if the health information can be de-identified, or the link between the health information and the 18 identifiers is broken, it is no longer considered to be protected health information.

HIPAA does not prohibit investigators who have not received a subject's written authorization from using the subject's health information in their research, however; it simply puts limits on what and how information may be used: