What are considered individually identifiable health information? What are the permitted uses and disclosures of individually identifiable health information under the HIPAA Privacy Rule?
Health information refers to any information created or received by a HIPAA-covered entity, such as healthcare providers, health plans, healthcare clearinghouse or business associates of a HIPAA-covered entity. It includes past, present, and future information related to mental health, physical health, medical condition of a person, healthcare treatment and healthcare payment. Health information also includes a person’s demographic information.
Individually identifiable health information refers to health information that can be linked to a specific person, or vice versa (See 45 CFR 46.160.103). According to the HIPAA Privacy Rule, there are restrictions on uses and disclosures of individually identifiable health information, but not on health information that does not identify an individual.
If a HIPAA-covered entity would like to share health information with an organization or individual that would otherwise be prohibited under the HIPAA Privacy Rule, the data must be de-identified first before sharing. To de-identify health information, remove the following 18 identifiers from the health information:
- Full name or last name and initial(s)
- Geographical identifiers smaller than a state, except the initial three digits of a zip code
- Dates directly related to an individual, except year
- Telephone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Medical record numbers
- Vehicle identifiers
- Device identifiers and serial numbers
- IP addresses
- Web Uniform Resource Locators (URLs)
- Biometric identifiers, such as finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data