Privacy Rule & Protected Health Information (PHI)

Privacy Rule & PHI in Research

What is PHI?

Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. HIPAA regulations allow researchers to access and use PHI when necessary to conduct research. However, HIPAA only affects research that uses, creates, or discloses PHI that will be entered in to the medical record or will be used for healthcare services, such as treatment, payment or operations.

For example, PHI is used in research studies involving review of existing medical records for research information, such as retrospective chart review. Also, studies that create new medical information because a health care service is being performed as part of research, such as diagnosing a health condition or a new drug or device for treating a health condition, creating PHI that will be entered into the medical record. For example, sponsored clinical trails that submit data to the U.S. Food and Drug Administration involve PHI and are therefore subject to HIPAA regulations.

What is not PHI?

In contrast, some research studies use data that is person-identifiable because it includes personal identifiers such as name, address, but it is not considered to be PHI because the data are not associated with or derived from a healthcare service event (treatment, payment, operations, medical records) not entered into the medical records, nor will the subject/patient be informed of the results. Research health information that is kept only in the researcher’s records is not subject to HIPAA but is regulated by other human subjects protection regulations.

Examples of research health information not subject to HIPAA include such studies as the use of aggregate data, diagnostic tests that do not go into the medical record because they are part of a basic research study and the results will not be disclosed to the subject, and testing done without the PHI identifiers. Some genetic basic research can fall into this category such as the search for potential genetic markers, promoter control elements, and other exploratory genetic research. In contrast, genetic testing for a known disease that is considered to be part of diagnosis, treatment and health care would be considered to use PHI and therefore subject to HIPAA regulations.

Also note, health information by itself without the 18 identifiers is not considered to be PHI. For example, a dataset of vital signs by themselves do not constitute protected health information. However, if the vital signs dataset includes medical record numbers, then the entire dataset must be protected since it contains an identifier. PHI is anything that can be used to identify an individual such as private information, facial images, fingerprints, and voiceprints. These can be associated with medical records, biological specimens, biometrics, data sets, as well as direct identifiers of the research subjects in clinical trials.

There are 18 HIPAA identifiers

  1. Names
  2. All geographical subdivisions smaller than a state; including street address, city, county, precinct, and zip code
  3. All elements of date (except year), including date of birth, ages > 89 years, and other dates such as diagnosis dates, procedure dates, admission or discharge dates
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan numbers
  10. Account numbers
  11. Certificate or license numbers
  12. Vehicle identifiers, serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. URLs
  15. IP address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images (or comparable images)
  18. Any other unique identifying number, characteristic, or code (not unique code assigned by an investigator to code the data)

There are also additional standards and criteria to protect individual's privacy from re-identification. Any code used to replace the indentifiers in datasets cannot be derived from any information related to the individual or mast codes, nor can the method to derive the codes be disclosed. For example, a subject's initials cannot be used to code their data because the initials are derived from their name.