Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. In other words, the information would still be considered identifiable is there was a way to identify the individual even though all of the 18 identifiers were removed.In contrast, some research studies use data that is person-identifiable because it includes personal identifiers such as name, address, but it is not considered to be PHI because the data are not associated with or derived from a healthcare service event (treatment, payment, operations, medical records) not entered into the medical records, nor will the subject/patient be informed of the results.Research health information that is kept only in the researcher’s records is not subject to HIPAA but is regulated by other human subjects protection regulations. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; 4. However, HIPAA only affects research that uses, creates, or discloses PHI that will be entered in to the medical record or will be used for healthcare services, such as treatment, payment or operations. HIPAA regulations allow researchers to access and use PHI when necessary to conduct research.
For example, PHI is used in research studies involving review of existing medical records for research information, such as retrospective chart review.PHI is anything that can be used to identify an individual such as private information, facial images, fingerprints, and voiceprints.These can be associated with medical records, biological specimens, biometrics, data sets, as well as direct identifiers of the research subjects in clinical trials.For example, a dataset of vital signs by themselves do not constitute protected health information.However, if the vital signs dataset includes medical record numbers, then the entire dataset must be protected since it contains an identifier.