Must Know Facts About Individually Identifiable Health Information

Individually Identifiable Health Information

What are considered individually identifiable health information?  What are the permitted uses and disclosures of individually identifiable health information under the HIPAA Privacy Rule?

Health information refers to any information created or received by a HIPAA-covered entity, such as healthcare providers, health plans, healthcare clearinghouse or business associates of a HIPAA-covered entity. It includes past, present, and future information related to mental health, physical health,  medical condition of a person, healthcare treatment and healthcare payment. Health information also includes a person’s demographic information.

Individually identifiable health information refers to health information that can be linked to a specific person, or vice versa (See 45 CFR 46.160.103). According to the HIPAA Privacy Rule, there are restrictions on uses and disclosures of individually identifiable health information, but not on health information that does not identify an individual.

If a HIPAA-covered entity would like to share health information with an organization or individual that would otherwise be prohibited under the HIPAA Privacy Rule, the data must be de-identified first before sharing. To de-identify health information, remove the following 18 identifiers from the health information:

  • Full name or last name and initial(s)
  • Geographical identifiers smaller than a state, except the initial three digits of a zip code
  • Dates directly related to an individual, except year
  • Telephone Numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Health insurance beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Medical record numbers
  • Vehicle identifiers
  • Device identifiers and serial numbers
  • IP addresses
  • Web Uniform Resource Locators (URLs)
  • Biometric identifiers, such as finger, retinal and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/