Share this article on:
What is individually identifiable health information and what must HIPAA-covered entities do to the information before it can be shared for reasons not detailed in the permitted uses and disclosures of the HIPAA Privacy Rule?
What is Individually Identifiable Health Information?
Before answering the question, what is individually identifiable health information, it is necessary to define health information.
HIPAA defines health information as any information created or received by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or business associate of a HIPAA-covered entity.
Health information includes past, present, and future information about mental and physical health and the condition of an individual, the provision of healthcare to an individual, and information related to payment for healthcare, again in the past, present, or future. Health information also includes demographic information about an individual.
Individually identifiable health information is a subset of health information, and as the name suggests, is health information that can be linked to a specific person, or if it would be reasonable to believe that an individual could be identified from the information. (See 45 CFR 46.160.103).
The HIPAA Privacy Rule places restrictions on uses and disclosures of individually identifiable health information, but not on health information that does not allow an individual to be identified.
If a HIPAA-covered entity has a data set containing individually identifiable health information, before the information can be shared with an organization or individual for a reason that would otherwise be prohibited under the HIPAA Privacy Rule, the data must first be de-identified.
De-identifying health information requires the following 18 identifiers to be removed from the data set prior to sharing:
- Full name or last name and initial(s)
- Geographical identifiers smaller than a state, except the initial three digits of a zip code, provided the combination of all zip codes starting with those three digits. When the initial three digits of a zip code contains 20,000 or fewer people it is changed to 000
- Dates directly related to an individual, other than year
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- IP addresses
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
Further information on how to deidentify health information can be viewed on this link.