About protected health information (PHI) data elements in the classifications of institutional data
At Indiana University, Classification levels of institutional data are defined in IU's Management of Institutional Data (DM-01). The following table lists institutional data elements that do or may constitute protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Depending on the context, Critical data elements may or may not constitute PHI. Institutional data elements not appearing in the table below are not PHI. For questions or more information, contact the University HIPAA Privacy Officer (hipaa@iu.edu
).
Note:
Data element | Classification | Does it constitute PHI? |
---|---|---|
Health information - Fax numbers
|
Critical | PHI |
Health information - Email address
|
Critical | PHI |
Health information - Medical record numbers
|
Critical | PHI |
Health information - Health plan beneficiary numbers
|
Critical | PHI |
Health information - Account numbers
|
Critical | PHI |
Health information - Certificate/license numbers
|
Critical | PHI |
Health information - Device identifiers
|
Critical | PHI |
Health information - URLs, IP addresses
|
Critical | PHI |
Health information - Biometric identifiers
|
Critical | PHI |
Health information - Full face photographic images
|
Critical | PHI |
Health information - Any other unique identifier
|
Critical | PHI |
Health information - Telephone numbers
|
Critical | PHI |
Health information - Names | Critical | PHI |
Social Security number | Critical | PHI if it satisfies this definition
|
Driver's license number | Critical | PHI if it satisfies this definition
|
Passport number | Critical | PHI if it satisfies this definition
|
Visa number | Critical | PHI if it satisfies this definition
|
State identification card number
|
Critical | PHI if it satisfies this definition
|
Certificate/license number | Critical | PHI if it satisfies this definition
|
All payment card data (including all credit/debit cards and cardholder information)
|
Critical | PHI if it satisfies this definition
|
Debit card number | Critical | PHI if it satisfies this definition
|
Bank account number or other financial account numbers
|
Critical | PHI if it satisfies this definition
|
Health information | Critical | PHI if it satisfies this definition; not PHI if de-identified
|
Health information - Geographic information smaller than a state
|
Critical | PHI |
Date of birth/age | Restricted | PHI if it satisfies this definition
|
Emergency contact | Restricted | PHI if it satisfies this definition
|
Home mailing address | Restricted | PHI if it satisfies this definition
|
Home phone | Restricted | PHI if it satisfies this definition
|
Visa status | Restricted | PHI if it satisfies this definition
|
Country of birth or citizenship
|
Restricted | PHI if it satisfies this definition
|
Work authorization (I-9) | Restricted | PHI if it satisfies this definition
|
Job action reason (for example, terminations or leave)
|
Restricted | PHI if it satisfies this definition
|
Benefits enrollment info | Restricted | PHI if it satisfies this definition
|
Payroll information (for example, taxes, deductions, etc.)
|
Restricted | PHI if it satisfies this definition
|
Marital status | Restricted | PHI if it satisfies this definition
|
Examples: IU University ID, preferred name/prior name, position information, part-time/full-time indicator
|
University-internal | PHI if it satisfies this definition
|
Dates of first and last employment
|
Public | PHI if it satisfies this definition
|
Name | Public | PHI if it satisfies this definition
|
Compensation | Public | PHI if it satisfies this definition
|
Job title | Public | PHI if it satisfies this definition
|
Job description | Public | PHI if it satisfies this definition
|
Business address | Public | PHI if it satisfies this definition
|
Business telephone number | Public | PHI if it satisfies this definition
|
Previous work experience | Public | PHI if it satisfies this definition
|
Education and training background
|
Public | PHI if it satisfies this definition
|
Related documents
Get help securely processing, storing, and sharing HIPAA-regulated data at IU
Find information about IRB requirements for research at IU that involves HIPAA-regulated PHI
About dedicated file storage services and IT services with storage components appropriate for sensitive institutional data, including research data containing protected health information
About PHI on laptops or mobile devices
Recommended tools for encrypting data containing HIPAA-regulated PHI
This is document bdtx in the Knowledge Base.
Last modified on 2023-02-02 12:40:35.