PII and PHI: 18 Identifiers
Learn about the personally identifiable information (PII) and protected health information (PHI) data identifiers covered by federal and state laws.
Background
Federal privacy laws (HIPAA1, HITECH 2) focus on personally identifiable protected health information (PHI) with 18 specific identifiers (see list below).
# | HIPAA PHI | Long Description of HIPAA PHI |
---|---|---|
1 | Names | First name, last name |
2 | Zip Code | All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000. |
3 | Dates MM/DD/YYYY | All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older. Examples: DOS = Date of service; DOB = Date of birth; DOD = Date of death |
4 | Phone numbers | Telephone numbers |
5 | Fax numbers | Fax numbers |
6 | E-mail address | Electronic mail addresses |
7 | SSNs | Social Security Numbers |
8 | MRN numbers | Medical record numbers |
9 | Insurance ID #s | Health plan beneficiary numbers |
10 | Account #s | Account numbers, e.g., financial account number, credit card number, debit card number |
11 | Certificate / License #s | Certificate / license numbers. Examples: Passport ID number, driver’s license ID number. |
12 | Serial #s | Vehicle identifiers and serial numbers, including license plate numbers |
13 | Device #s | Device identifiers and serial numbers. Example: medical device serial number. |
14 | URL | Web Universal Resource Locators (URLs) |
15 | IP address | Internet Protocol (IP) address numbers |
16 | Biometrics | Biometric identifiers, including finger and voice prints |
17 | Photos | Full face photographic images and any comparable images |
18 | Other | Any other unique identifying number, characteristic or code (excluding a random identifier code for an individual that is not related to or derived from any existing identifier) |
California PII: California’s privacy laws protect the confidentiality of personally identifiable information (PII) which includes medical / health information. Personally Identifiable Information” (PII) is defined as an individual’s first name or first initial, and last name, in combination with any one or more of the following: SSN, driver’s license number, financial account number, medical information or health insurance information. Refer to page 2 for complete definitions.
Definitions
- "Protected Health Information" (PHI) is defined by HIPAA as Information that (i) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse," and (ii) "relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual," and (iii) with respect to which there is a reasonable basis to believe the information can be used to identify the patient, (iv) does not constitute an "educational record" or "treatment record" under FERPA, and (v) is not maintained solely due to an employment relationship. Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above. [Federal Privacy Laws: HIPAA and HITECH Privacy Laws]
- “Personally Identifiable Information” (PII) is defined by California law as an individual’s first name or first initial, and last name, in combination with any one or more of the following: [California SB1386, AB12983]
- Social security number
- Driver’s license number or California Identification card number
- Financial account number, credit card number or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
- Medical information (any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional)
- Health insurance information (an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including appeals records)
- Information collected / available online: Username, email address, password, a security question and answer that would permit access to an account. [Expansion of data breach laws, AB370, SB46, eff. 1/1/2014]
- De-identification of PHI: Removal of certain identifiers so that the individual who is the subject of the PHI may no longer be identified. Application of a statistical method or stripping of listed identifiers, such as: names, geographic subdivisions (less than state); all elements of dates; and SSNs. [45 CFR 164.514(a)(b)]
- HHS.Gov, “Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. http://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html
1 Health Insurance Portability & Accountability Act of 1996 (HIPAA)
2 Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery & Reinvestment Act of 2009 (ARRA)
3 The law applies to any person, business, or state agency that conducts business in California and owns or licenses unencrypted computerized data that includes personally identifiable information. http://www.leginfo.ca.gov/pub/07-08/bill/asm/ab_1251-1300/ab_1298_bill_20071014_chaptered.html. California Online Protection Act (AB370) and SB46 expands California’s data breach law, eff. 1/1/2014: Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.