Individually Identifiable Health Information

Before addressing the question, what is individually identifiable health information, it is important to define health information.

HIPAA says health information is any information created or received by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or business associate of a HIPAA-covered body.

Health information includes past, present, and future information regarding mental and physical health and the condition of a person, the provision of healthcare to an individual, and information related to payment for healthcare, again in the past, present, or future. Health information also incorporates demographic information about a person.

Individually identifiable health information is a subset of health information, and as the name implies, is health information that can be connected to a specific person, or if it would be reasonable to believe that a person could be identified from the information. (See 45 CFR 46.160.103).

The HIPAA Privacy Rule places limits on uses and disclosures of individually identifiable health information, but not on health data that does not allow an individual to be identified.

If a HIPAA-covered body has a data set containing individually identifiable health information, before the information can be sent to an organization or individual for a reason that would otherwise be forbidden under the HIPAA Privacy Rule, the data must first be de-identified.

De-identifying health information requires these 18 identifiers to be deleted from the data set prior to sharing:

  1. Complete name or last name and initial(s)
  1. Geographical identifiers at a level lower than a state, except the initial three digits of a zip code, provided the combination of all zip codes starting with those three digits. When the initial three digits of a zip code includes 20,000 or fewer people it is changed to 000
  2. Dates directly linked to an individual, other than year
  3. Contact Phone Numbers
  4. Fax number details
  5. Email addresses information
  6. Social Security specifics
  7. Medical record data
  8. Health insurance beneficiary numbers
  9. Account numbers and information
  10. Certificate/license numbers
  11. Vehicle identifying factors
  12. Device identifiers and serial numbers details;
  13. Web Uniform Resource Locators (URLs)
  14. IPs
  15. Biometric identifiers such as finger, retinal and voice prints
  16. Full face photographic images and any comparable pictures
  17. Any other unique identifying number, characteristic, or code apart from the unique code assigned by the investigator to code the data
About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown