Protected Health Information

Description

Protected Health Information (PHI) is all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.

“Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.

Data Classification

Restricted

Examples

PHI that is linked based on the following list of 18 identifiers must be treated with special care:

  1. Names
  2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
  3. Dates (other than year) directly related to an individual
  4. Phone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. Web Uniform Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger, retinal and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
University Policies

The UCMC Privacy Policies apply to the “Medical Center” which means all of the components that support Health Care.  These components are together called the “UC OHCA” or “UC Organized Health Care Arrangement.”  The components are:

  • The University of Chicago Medical Center, including its nurses, residents, other staff, and volunteers,
  • The University of Chicago Biological Sciences Division and other portions of the University of Chicago in both cases that supports the activities of Health Care including its physicians, nurses, students, volunteers, and other staff, and
  • UCMC Community Physicians LLC.
Laws and Regulations

U.S. Department of Health and Human Services) (http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/ ): The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) established a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Privacy Rule standards address the use and disclosure of individuals' protected health information by covered entities (organizations that are subject to the Privacy Rule), as well as standards for individuals' rights to understand and control how their health information is used.

Additional Resources