Protected Health Information (PHI)
Electronic Protected Health Information (ePHI) is patient health information which is computer based, e.g., created, received, stored or maintained, processed and/or transmitted in electronic media. Electronic media includes computers, laptops, CDs/DVDs/disks, memory sticks, smart phones, PDAs, servers, networks, dial-modems, email, web-sites, etc.
ePHI management is covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. HIPAA Privacy & Security Laws mandate protection and safeguards for access, use and disclosure of PHI and/or ePHI with sanctions for violations.
A patient's health information can be shared if it is de-identified, meaning all of the identifying information has been removed. De-identification must follow the HIPAA Privacy Rule's standard of de-identification.
Examples
The following individually identifiable data elements, when combined with health information about that person, make such information protected health information (PHI):
- Names
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Patient demographic data, e.g., address, date of birth, date of death, sex, e-mail / web address
- Dates of service, e.g., date of admission, discharge
- Medical records, reports, test results, appointment dates
- Medical information, history, mental or physical condition, treatment or diagnosis by a healthcare professional
- Health insurance information, policy # or subscriber ID #, unique identifier, any information in an application & claims history, including any appeals records
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full-face photographic images
Any other unique identifying number, characteristic, code, or combination that allows identification of an individual
However, health information that does not include individually identifiable data elements is not PHI. For example, symptoms listed with a patient's age and no other information is not considered PHI.
Laws/Regulations/Policies
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Health Information Technology for Economic and Clinical Health (HITECH) Act
California Information Practices Act (California Civil Code 1798.29)
UCOP Health Insurance Portability and Accountability Act (HIPAA) Website
IS-3 Electronic Information Security Policy
Electronic Communications Policy (ECP)
IT-0001: HIPAA Security Rule Compliance Policy
Additional Resources
UCSC Office of Research - IRB and HIPAA website
UCSC ITS HIPAA Security Rule Implementation
UCSC Student Health Center Health Information Management
U.S. Dept of Health HIPAA website
U.S. Dept of Health HIPAA Privacy Rule's standard of de-identification
Protection Level
- IT Policies
- Data and IT Resource Classification
- Protection Levels for UC Institutional Information
- Security Web Site
- Availability Levels for UC Institutional Information
- IT Policy Glossary
- IS-3: Information Security Policy
- IS-12: IT Recovery Policy
Need Help?
Call: (831) 459-HELP (9-4357)
Email: help@ucsc.edu
