Despite completing the College of Optometry’s HIPAA and Institutional Data Policy (IDP) training cycle in September, it is always important to emphasize that HIPAA specifies 18 elements that in part, or whole, may be considered to be PHI:
- Names
- Dates, except year
- Telephone numbers
- Geographic data
- Fax numbers
- Social Security numbers
- Email addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Web URLs
- Device identifiers and serial numbers
- Internet protocol addresses
- Full face photos and comparable images
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Any unique identifying number or code
Please be aware of the context of your data when working with any of the above listed elements, and be aware that you may be working with PHI. HIPAA is a complicated topic, and there are many caveats, but if you have any questions regarding whether or not you are working with PHI, or how you may appropriately handle and use PHI, please reach out to the college HIPAA Security Officer, Alex Vu, or the college HIPAA Privacy Officer, Cathy Beatty, and we would be happy to help you make a determination.
UC Berkeley has a more detailed resource with more detail on PHI in the context of research: https://cphs.berkeley.edu/hipaa/hipaa18.html. It is also worth noting here that on June 2, the university issued a new Protected Health Information and HIPAA policy, which includes a new categorization and definition for Research Health Information (RHI): https://policies.osu.edu/assets/docs/policy_pdfs/Protected-Health-Information-HIPAA.pdf.