HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

What is Individually Identifiable Health Information?

What is individually identifiable health information and what must HIPAA-covered entities do to the information before it can be shared for reasons not detailed in the permitted uses and disclosures of the HIPAA Privacy Rule?

What is Individually Identifiable Health Information?

Before answering the question, what is individually identifiable health information, it is necessary to define health information.

HIPAA defines health information as any information created or received by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or business associate of a HIPAA-covered entity.

Health information includes past, present, and future information about mental and physical health and the condition of an individual, the provision of healthcare to an individual, and information related to payment for healthcare, again in the past, present, or future. Health information also includes demographic information about an individual.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Individually identifiable health information is a subset of health information, and as the name suggests, is health information that can be linked to a specific person, or if it would be reasonable to believe that an individual could be identified from the information. (See 45 CFR 46.160.103).

The HIPAA Privacy Rule places restrictions on uses and disclosures of individually identifiable health information, but not on health information that does not allow an individual to be identified.

If a HIPAA-covered entity has a data set containing individually identifiable health information, before the information can be shared with an organization or individual for a reason that would otherwise be prohibited under the HIPAA Privacy Rule, the data must first be de-identified.

De-identifying health information requires the following 18 identifiers to be removed from the data set prior to sharing:

  1. Full name or last name and initial(s)
  1. Geographical identifiers smaller than a state, except the initial three digits of a zip code, provided the combination of all zip codes starting with those three digits. When the initial three digits of a zip code contains 20,000 or fewer people it is changed to 000
  2. Dates directly related to an individual, other than year
  3. Phone Numbers
  4. Fax numbers
  5. Email addresses
  6. Social Security numbers
  7. Medical record numbers
  8. Health insurance beneficiary numbers
  9. Account numbers
  10. Certificate/license numbers
  11. Vehicle identifiers
  12. Device identifiers and serial numbers;
  13. Web Uniform Resource Locators (URLs)
  14. IP addresses
  15. Biometric identifiers, including finger, retinal and voice prints
  16. Full face photographic images and any comparable images
  17. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Further information on how to deidentify health information can be viewed on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.