What is not considered PHI?
Health information is not protected health information if it is de-identified. De-identified information may be used
without restriction and without patient authorization. The de-identification standard provides two methods for
which health information can be designated as de-identified. The first method requires the removal of all 18
identifying data elements listed in the regulations (see Appendix 1 for a list of the 18 data elements). If the
resulting information cannot be used to identify the individual, then it is no longer PHI. The second method
requires an expert to document their determination that the information is not individually identifiable (“Expert
1. Names
2. All geographic subdivisions smaller than a state, except for the initial three digits of the zip code if the
geographic unit formed by combining all zip codes with the same three initial digits contains more than
20,000 people
3. All elements of dates, except year, and all ages over 89 or elements indicative of such age *
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate or license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) addresses
16. Biometric identifiers, including finger and voice prints
17. Full face photographs and any comparable images
18. Any other unique, identifying number, characteristic, or code, except as permitted for re- identification in
the Privacy Rule *
* Data elements that are allowed in a Limited Data Set
Health Information.
are no restrictions on the use or disclosure of de-identified health
14 De-identified
health information neither identifies nor provides a reasonable basis
to identify an individual. There are two ways to de-identify
information; either: (1) a formal determination by a qualified
statistician; or (2) the removal of specified identifiers of the
individual and of the individual’s relatives, household members,
and employers is required, and is adequate only if the covered entity
has no actual knowledge that the remaining information could be used
to identify the individual.


Leave a Comment