Information pertaining to specific individuals is protected by Health Insurance Portability and Accountability Act (HIPAA). Data that is protected in this context should be treated carefully. If data has any of the identifying characteristics elaborated on below, special issues may arise with transferring data and the permissions of the analyst to view and/or store the data. Please discuss de-identification options with your biostatistician to mitigate these issues.
PHI Definitions (COMIRB guidelines)
Protected health information (PHI) is any data which, when combined with one or more data elements or commonly available information, could be used to identify a person. PHI does not include de-identified information which does not identify an individual and for which there is no reasonable basis to believe that information could be used to identify an individual.
Information which may be protected includes, but is certainly not limited to:
- Postal address (to a location smaller than state)
- All elements of dates, except year (For dates directly related to an individual including birth date, admission date, discharge date, and date of death. As well as ages greater than 89 aggregated to 90 and older.)
- Phone/Fax Number
- Email addresses
- Social Security Number
- Medical Record Number
- Health plan number
- Account numbers
- Certificate/license numbers
- URL addresses
- IP addresses
- Vehicle identifiers
- Device ID
- Biometric ID
- Full face (or other identifying photo)
- Any other unique identifying number, characteristic, or code
It should be noted that HIPAA regulations also apply to deceased individuals.