The HIPAA identifiers are sometimes confused with definitions of Protected Health Information, so it is important to know what are HIPAA identifiers and why they may not necessarily be PHI.
In the Privacy Rule, standard §164.514 stipulates the “Other requirements relating to uses and disclosures of protected health information”. This standard covers topics such as using individually identifiable information for fundraising, verifying the identity of a person to whom Protected Health Information (PHI) is disclosed, and de-identifying PHI before it can be used as a limited data set.
In the context of de-identifying PHI before it can be used as a limited data set, the standard lists eighteen identifiers “of the individual or of relatives, employers, or household members of the individual” that must be removed from a designated record set before any health information remaining in the designated record set is no longer protected health information.
- Names (Full or last name and initial)
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- Dates (other than year) directly related to an individual
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers (including serial numbers and license plate numbers)
- Device identifiers and serial numbers
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
Are HIPAA Identifiers PHI?
HIPAA identifiers are not necessarily PHI. This is because the (summarized) definition of PHI is “any information relating to an individual´s medical condition, treatment for the condition, or payment for the treatment, that is created, received, maintained, or transmitted by a Covered Entity or Business Associate that identifies the individual or could be used to identify the individual.”
Information of this nature is usually maintained in a designated record set – typically a group of records that includes medical and billing records and that is used in whole or in part to make eligibility, treatment, and payment decisions about the individual.
A designated record set will naturally include identifiers such as names, addresses, dates, etc. and when these identifiers are maintained in a designated record set, they assume the same protections as the health information maintained in the designated record set and should be considered PHI.
However, if the same identifiers were to be stored on a database without any health information in the same group of records, they are not protected by the HIPAA Privacy Rule because the Privacy Rule only protects the “privacy of individually identifiable health information”.
Additionally, other information not included in the list of HIPAA identifiers could be included in a designated record set that could identify an individual or could be used to identify an individual – for example details of an emotional support animal or a social media alias.
What are HIPAA Identifiers? Conclusion
In conclusion, the HIPAA identifiers are the list of identifiers compiled more than twenty years ago that the Privacy Rule stipulates must be removed from a designated record set before any remaining health data is no longer protected by the Privacy Rule.
The HIPAA identifiers should only be considered PHI if they are maintained in a designated record set with the individual´s health information. If any of the identifiers are maintained in a group of records that does not include the individual´s health information, they are not protected by the Privacy Rule, but may be subject to state privacy and security regulations that preempt HIPAA.