What is individually identifiable health information?

COVID-19 telehealth services

Individually identifiable health information is roughly defined by the HIPAA Administrative Simplification Regulations (§160.103) as a subset of health information created or received by a healthcare provider, health plan, clearinghouse, or employer that identifies an individual and that relates to the past, present, or future condition of the individual, treatment for the condition, or payment for the treatment.

The definition of individually identifiable health information varies very little from the definitions of “health information” and “protected health information” also in §160.103, except that it includes a reference to “demographic information” (age, address, ethnicity, etc.). The inclusion of this term has resulted in a number of sources confusing what is considered Protected Health Information (PHI) under HIPAA with the eighteen so-called “HIPAA identifiers”.

What is Considered PHI Under HIPAA?

The confusion between what is considered PHI under HIPAA and the HIPAA identifiers exists because any individually identifiable non-health information stored in the same “designated record set” as PHI automatically assumes the same protections as PHI. For example, if a patient informs their healthcare provider of a new cell phone number, and the cell phone number is added to a folder which contains the patient’s health information, the cell phone number assume the same protections as the patient’s health information.

However, because the cell phone number is not health information, if it is added to a folder which does not contain PHI – for example, a marketing database – the cell phone number is not protected by HIPAA (although other state data security laws may apply). This distinction between what is considered PHI under HIPAA and what is not considered PHI applies to any identifying demographic information that does not relate to an individual’s condition, treatment for the condition, or payment for the treatment.

What about the Eighteen HIPAA Identifiers?

The “HIPAA identifiers” are identifiers that – at the time the Privacy Rule was finalized in 2002 – had to be removed from a designated record set before any remaining information left in the designated record set was considered de-identified under the safe harbor method of de-identification in §164.514(a). None of the identifiers are individually identifiable health information nor PHI when they are maintained outside a designated record set.

In addition, many of the eighteen identifiers are out of date. Since the finalization of the Privacy Rule, CMS has introduced Medicare Beneficiary Numbers to replace Social Security Numbers on claims and billing processes, most IP address identifier are (or should be) disguised by a VPN, and many people communicate with each other using contacts, aliases, and social media handles – rather than phone numbers, fax numbers, and email addresses.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Why it is Important to Know What is Individually Identifiable Health Information

It is important to know what is individually identifiable health information in healthcare to ensure that health information is adequately protected and that operational activities are not impeded by non-health being over protected. For example, the overprotection of non-health information can lead to administrative staff being unable to access individuals’ phone numbers because they do not have the correct permissions to log into a protected database (i.e., an EHR).

Not only do covered entities and business associates need to know what is individually identifiable health information, but their workforces also need to know how to distinguish what is protected by HIPAA. This should be covered in basic HIPAA training, and covered entities or business associates that need help with explaining what is individually identifiable health information to their workforce are advised to seek HIPAA compliance advice.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/