A date of birth is PHI if it is stored with individually identifiable health information that is maintained by a HIPAA covered entity or business associate, and if the date of birth could be used with other data elements in the same designated record set to identify the subject of the individually identifiable health information or somebody connected to them.
PHI is defined in the HIPAA General Provisions as individually identifiable health information relating to an individual’s health condition, treatment for the condition, or payment for the treatment. As a date of birth by itself does not fulfil the criteria to be individually identifiable health information, this raises the question is a date of birth PHI and, if so, when.
One answer is that any data element stored in a designated record set with individually identifiable health information assumes the same protected status as the individually identifiable health information if the data element could be used – independently or with other data elements – to identify the subject of the individually identifiable health information.
However, in the context of answering the question is a date of birth PHI, dates of birth relating to parents, children, and partners could also be stored with an individual’s individually identifiable health information. These too would be considered PHI because they could be used to identify the subject of the individually identifiable health information if used with other data elements.
In addition, an individual’s date of birth could be stored in a designated record set with a parent’s, child’s, or partner’s individually identifiable health information. In these circumstances, the date of birth would still be considered PHI because it could be used to identify the parent, child, or partner with sufficient other data elements.
Should a Date of Birth Always be Considered PHI?
While it would appear that HIPAA covered entities should always consider a date of birth PHI, there are several circumstances in which it is permissible to disclose a date of birth for non-standard purposes. The first is when PHI is disclosed in a limited data set for research, public health activities, or healthcare operations subject to assurances it will not be further disclosed.
The second circumstance is when PHI is disclosed to a business associate or institutionally related foundation for fundraising purposes. In this case, HIPAA covered entities may only disclose limited demographic data to the third party, and the reason for the disclosure (in this case, fundraising) must be included in the covered entity’s Notice of Privacy Practices.
The third circumstance is when a date of birth is de-identified under the safe harbor method of deidentification. In this case, the day and month must be removed from the date, so just the year remains. Once a date of birth is de-identified to HIPAA standards, it is no longer considered PHI and can be shared with third parties for any purpose without a HIPAA authorization.
These exceptions to when is a date of birth PHI may not apply to all HIPAA covered entities because not all covered entities disclose PHI in limited data sets, for fundraising purposes, or in de-identified format. However, if they do apply, the circumstances in which a date of birth is considered PHI – or not considered PHI – should be covered in HIPAA training to applicable members of the workforce.