About protected health information (PHI)

According to the US Department of Health and Human Services, protected health information (PHI) is individually identifiable information (see below for definition) that is:

  1. except as provided in item 2 of this definition,
    1. transmitted by electronic media;
    2. maintained in electronic media; or
    3. transmitted or maintained in any other form or medium (includes paper and oral communication).
  2. Protected health information excludes individually identifiable health information:
    1. in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
    2. in records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
    3. in employment records held by a covered entity (see below for definition) in its role as employer; and
    4. regarding a person who has been deceased for more than 50 years.

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and

  1. is created, or received by a health care provider, health plan, or health care clearing house; and
  2. relates to past, present, or future physical or mental health conditions of an individual; the provision of health care to the individual; or past, present, or future payment for health care to an individual, and
    1. that identifies the individual; or
    2. with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Individually identifiable health information (PHI) is subject to state and federal privacy and security rules including, but not limited to, the Health Insurance Portability and Accountability Act (HIPAA).

A covered entity is any health plan, health care clearing house, or health care provider who transmits any health information in electronic form in connection with a qualified transaction and their business associates. Indiana University has designated itself as a Hybrid Covered Entity and all IU HIPAA Affected Areas are expected to adhere to the HIPAA Privacy and Security Rules as well as any other area or unit that creates, uses, or stores PHI from another HIPAA Affected Area or outside covered entity.

Data are "individually identifiable" if they include any of the 18 types of identifiers for an individual or for the individual's employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual. These identifiers are:

  • Name
  • Address (all geographic subdivisions smaller than state, including street address, city, county, or ZIP code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone numbers
  • FAX number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers or serial numbers
  • Web URLs
  • IP address
  • Biometric identifiers, including finger or voice prints
  • Full-face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code

All protected health information is subject to federal Health Insurance Portability and Accountability Act (HIPAA) regulation.

Electronic protected health information (ePHI)

Electronic protected health information (ePHI) is any protected health information (PHI) that is created, stored, transmitted, or received electronically.

Electronic protected health information includes any medium used to store, transmit, or receive PHI electronically. The following and any future technologies used for accessing, transmitting, or receiving PHI electronically are covered by the HIPAA Security Rule:

  • Media containing data at rest (storage)
    • Personal computers with internal hard drives used at work, home, or traveling
    • External portable hard drives, including iPods and similar devices
    • Magnetic tape
    • Removable storage devices, such as USB memory sticks, CDs, DVDs, and floppy disks
    • PDAs and smartphones
  • Data in transit, via wireless, Ethernet, modem, DSL, or cable network connections
    • Email
    • File transfer

If you have questions about securing HIPAA-regulated research data at IU, email securemyresearch@iu.edu. SecureMyResearch provides self-service resources and one-on-one consulting to help IU researchers, faculty, and staff meet cybersecurity and compliance requirements for processing, storing, and sharing regulated and unregulated research data; for more, see About SecureMyResearch. To learn more about properly ensuring the safe handling of PHI on UITS systems, see the UITS IT Training video Securing HIPAA Workflows on UITS Systems. To learn about division of responsibilities for securing PHI, see Shared responsibility model for securing PHI on UITS systems.

This is document ayyz in the Knowledge Base.
Last modified on 2023-11-17 10:27:08.