PHI: The 18 Identifiers & De-Identification
Duration: 55 min · Level: Intermediate · Module: 5. HIPAA Privacy Rule · Focus: PHI, 18-identifiers, de-identification, HIPAA, privacy
By the end of this lesson you will be able to explain and apply:
- PHI requires two elements
- The 18 PHI identifiers
- De-identification method 1
- De-identification method 2
- PHI in email
You will then consolidate these ideas in the hands-on lab below.
Why this matters
Protected Health Information (PHI) is individually identifiable health information held by a covered entity or business associate.
Overview
Protected Health Information (PHI) is individually identifiable health information held by a covered entity or business associate. The HIPAA Privacy Rule lists exactly 18 categories of identifiers that make health information "individually identifiable." Remove all 18 and you have de-identified data — no longer covered by HIPAA.
Key concepts
PHI requires two elements: (1) it relates to health, care, or payment for care, AND (2) it identifies the individual or could reasonably be used to identify them
- The 18 PHI identifiers: name, geographic data (anything smaller than state, including ZIP), dates related to individual (except birth year), phone, fax, email, SSN, medical record number, health plan number, account number, certificate/license number, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, full-face photos, any unique identifier
- De-identification method 1 — Safe Harbor: remove all 18 identifiers AND have no actual knowledge that remaining info could identify anyone; ZIP codes must be generalized to 3-digit ZIP if the geographic area population >20,000
- De-identification method 2 — Expert Determination: a statistician certifies that re-identification risk is very small; more flexible than Safe Harbor but requires credentialed expert
- PHI in email: email is allowed if patient consents to the risk; however, email with PHI must be encrypted if transmitted over the internet; many organizations use secure messaging portals (MyChart messages) instead
- Incidental disclosures: HIPAA permits incidental disclosures (like another patient overhearing a conversation) as long as reasonable safeguards are in place; verbal confirmation at a nurses station does not violate HIPAA if reasonable precautions taken
Review 10 sample data elements and classify each as: (a) PHI — identify which of the 18 identifiers applies, (b) de-identified data — safe to use, or (c) limited data set — requires data use agreement. Include: patient name + diagnosis, age 67 + ZIP 90210 + lung cancer, IP address + login time, death date + cause.
Check your understanding
Try to recall each answer before expanding it.
Q1. What do you know about PHI requires two elements?
(1) it relates to health, care, or payment for care, AND (2) it identifies the individual or could reasonably be used to identify them
Q2. What do you know about The 18 PHI identifiers?
name, geographic data (anything smaller than state, including ZIP), dates related to individual (except birth year), phone, fax, email, SSN, medical record number, health plan number, account number, certificate/license number, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, full-face photos, any unique identifier
Q3. What do you know about De-identification method 1?
Safe Harbor: remove all 18 identifiers AND have no actual knowledge that remaining info could identify anyone; ZIP codes must be generalized to 3-digit ZIP if the geographic area population >20,000
Q4. What do you know about De-identification method 2?
Expert Determination: a statistician certifies that re-identification risk is very small; more flexible than Safe Harbor but requires credentialed expert
Q5. What do you know about PHI in email?
email is allowed if patient consents to the risk; however, email with PHI must be encrypted if transmitted over the internet; many organizations use secure messaging portals (MyChart messages) instead
Next: C5.2 Patient Rights Under HIPAA — All Six Rights →
Part of Module 5: HIPAA Privacy Rule.