Protected Health Information

Episode 10: Know The Rules! Protected Health Information

What is Protected Health Information?

The simple answer is ANY information that can be used to identify you from your Protected Health Information (PHI). A total of 18 unique identifiers and must be removed to meet the “Safe Harbor” method.

PHI as defined by US Health Insurance Portability and Accountability Act (HIPAA), is any information about health status, provision of healthcare, or payment for healthcare that is created or collected by healthcare organizations, referred to as Covered Entities (CEs) (or a Business Associates (BAs)), and can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history[i].

The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a CE or its BA, in any form or medium by a CE or its BA, whether electronic, on paper, or oral. The Privacy Rule calls this information PHI [ii].

Section § 164.514(a) of the Privacy Rule provides the standard for de-identification of protected health information. Under this standard, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual.

Sections 164.514(b) and(c) contain the implementation specifications that offer two methods to achieve de-identification in accordance with the HIPAA Privacy Rule.

The first is the “Expert Determination” method:

CEs or BAs may use the Expert Determination method to verify PHI is not individually identifiable health information only if they are able to provide assurances of the following:

1)   A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable;

a)     Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and

b)      Documents the methods and results of the analysis that justify such determination;


 The second is the “Safe Harbor” method:

The Safe Harbor method is used to de-identify PHI by removing specific identifiers from the data sets. The following list of 18 identifiers and must be removed!

Example of PHI include a medical record, laboratory report, or hospital bill because each document contains a patient’s name and/or other identifying information associated with the health data content.

  1.  Names
  2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
  3. Dates (other than year) directly related to an individual
  4. Phone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Uniform Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger, retinal and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Both methods, even when properly applied, yield de-identified data that retains some risk of identification. Although the risk is very small, it is not zero, and there is a possibility that de-identified data could be linked back to the identity of the patient to which it corresponds.

Regardless of the method by which de-identification is achieved, the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information.

For information on de-identification of PHI by Expert Determination, 45 CFR § 164.514(b)(1) & Safe Harbor § 164.514(b)(2) is available @ the U.S. Department of Health and Human Services’ Office for Civil Rights.




Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today!








[ii] Protected health information (PHI) is defined as individually identifiable health information transmitted or maintained by a covered entity or its business associates in any form or medium (45 CFR 160.103). The definition exempts a small number of categories of individually identifiable health information, such as individually identifiable health information found in employment records held by a Covered Entity in its role as an employer.

24 thoughts on “Episode 10: Know The Rules! Protected Health Information

  1. […] (CEs) and Business Associates (BAs) that create, receive, maintain, and transmit electronic protected health information […]

  2. […] Privacy Rule sets the standards for, among other things, who may have access to electronic protected health information (ePHI). While the Security Rule sets the standards for ensuring only those who should have access […]

  3. […] includes your smartphone, tablet, medical device (medical equipment storing electronic protected health information [ePHI]), and any other type of equipment that provides convenient access to your computer, ePHI, […]

  4. […] BA can also be a subcontractor responsible for creating, receiving, maintaining, or transmitting Protected Health Information (PHI) on behalf of the CE (45 CFR […]

  5. […] to provide security controls that ensure the confidentiality, integrity, and availability (CIA) of protected health information (PHI). However, having robust and fairly resilient systems will not eliminate the possibility that […]

  6. […] entity contracted to perform certain functions or activities that involve the use or disclosure of Protected Health Information (PHI) to provide services for a Covered Entity (CE). CE’s are required to identify who their […]

  7. […] or contractor who may have contact with electronic protected health information […]

  8. […] Portability and Accountability Act (HIPAA) Privacy and Security Rules exist to protect your “individually identifiable health information” held or transmitted by your provider (identified as a Covered Entity and/or their Business […]

  9. […] purpose of contingency planning is to establish strategies for recovering access to electronic protected health information (ePHI). In the event an organization experiences an emergency or other incident, such as power […]

  10. […] Portability and Accountability Act (HIPAA) Privacy and Security Rules exist to protect your “individually identifiable health information” held or transmitted by your provider (identified as a Covered Entity and/or their Business […]

  11. […] important step in protecting electronic protected health information (ePHI) is to implement reasonable and appropriate physical safeguards for information systems and […]

  12. […] or BA’s strategy to protect the confidentiality, integrity, and availability of electronic protected health information […]

  13. […] Business Associate (BA) is someone who performs services that involve the disclosure of Protected Health Information (PHI), such as claims processing, utilization review, billing, quality assurance, or benefit […]

  14. […] Accountability Act (HIPAA) is a federal law that sets rules about who can look at and receive your protected health information […]

  15. […] using or disclosing protected health information (PHI) or when requesting PHI from another Covered Entity (CE) or Business Associate (BA), a CE or […]

  16. […] healthcare organizations dispose of, or recycle, any electronic media that contains electronic protected health information (ePHI) they should make sure it is unusable and/or […]

  17. […] implemented for their organization. If an organization’s hardware and media containing electronic protected health information is moved from one location to another, a record should be maintained as documentation of the […]

  18. […] care. When you are a HIPAA geek like myself it is not always easy to decide who to trust with your protected health information […]

  19. […] or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a […]

  20. […] immediately sent a private message to the originator of the post to let them know they had shared protected health information (PHI). I waited over 24 hours and if you know me and HIPAA that was a REALLY LONG, LONG, LONG […]

  21. […] have been discussed by their caregivers. Names may not have been used, but still, references to a patient in a certain room or a description of […]

  22. […] contacted the doctor for comment and the doctor impermissibly disclosed the patient’s protected health information to the […]

  23. […] designate a specific individual who’s responsible for managing the security of the electronic protected health information (PHI); Administrative Safeguards 45 C.F.R. § […]

  24. […] and signed BAAs need to be in place BEFORE any protected health information (PHI) is exchanged with Business Associates (BAs) to comply with […]