What is individually identifiable health information?

by

One of the core parts of the Health Insurance Portability and Accountability Act of 1996 is to protect patient privacy. Yet not all data is protected by HIPAA. The Act defines a subset of information – protected health information, or PHI – that it applies to. One of the key features of PHI is that it is “individually identifiable”, but what does that mean? What is individually identifiable health information? We will discuss the answer here. 

HIPAA only applies to health information, which includes any details of past, present, or future medical conditions and treatment plans or information relating to the payment of those conditions. 

Importantly, it is only covered by HIPAA if it has been created or received by a HIPAA Covered Entity or Business Associate. Broadly, Covered Entities are defined as healthcare clearinghouses, health plans, or healthcare providers. This means that health information that may be received by your employer, for example, is usually not covered by HIPAA

But what does it mean for this data to be individually identifiable? If the information contains sufficient data that it could be traced back to a single person (i.e., could be used to identify that person), then it is considered to be individually identifiable. This information includes a range of demographic and economic factors, such as names, addresses, or bank account details. 

HIPAA defines 18 “identifiers”, and the presence of any of them in health information renders that information PHI: 

  1. Full name or last name and initial(s)
  2. Geographical identifiers smaller than a state, except the initial three digits of a zip code, provided the combination of all zip codes starting with those three digits. When the initial three digits of a zip code contains 20,000 or fewer people it is changed to 000
  3. Dates directly related to an individual, other than year
  4. Phone Numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers
  13. Device identifiers and serial numbers;
  14. Web Uniform Resource Locators (URLs)
  15. IP addresses
  16. Biometric identifiers, including finger, retinal and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Individually identifiable information is very sensitive in nature. Many health conditions have a considerable stigma attached, and though it is illegal, employees may face discrimination if an employer discovers that they are sick. Other details, such as Social Security Numbers, can be used for identity theft or insurance fraud. 

It is possible to “de-identify” PHI by removing these identifiers. This anonymizes the health data, meaning it is no longer subject to the strict rules of HIPAA. 

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]