Before addressing the question, what is individually identifiable health information, it is important to define health information.
HIPAA says health information is any information created or received by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or business associate of a HIPAA-covered body.
Health information includes past, present, and future information regarding mental and physical health and the condition of a person, the provision of healthcare to an individual, and information related to payment for healthcare, again in the past, present, or future. Health information also incorporates demographic information about a person.
Individually identifiable health information is a subset of health information, and as the name implies, is health information that can be connected to a specific person, or if it would be reasonable to believe that a person could be identified from the information. (See 45 CFR 46.160.103).
The HIPAA Privacy Rule places limits on uses and disclosures of individually identifiable health information, but not on health data that does not allow an individual to be identified.
If a HIPAA-covered body has a data set containing individually identifiable health information, before the information can be sent to an organization or individual for a reason that would otherwise be forbidden under the HIPAA Privacy Rule, the data must first be de-identified.
De-identifying health information requires these 18 identifiers to be deleted from the data set prior to sharing:
- Complete name or last name and initial(s)
- Geographical identifiers at a level lower than a state, except the initial three digits of a zip code, provided the combination of all zip codes starting with those three digits. When the initial three digits of a zip code includes 20,000 or fewer people it is changed to 000
- Dates directly linked to an individual, other than year
- Contact Phone Numbers
- Fax number details
- Email addresses information
- Social Security specifics
- Medical record data
- Health insurance beneficiary numbers
- Account numbers and information
- Certificate/license numbers
- Vehicle identifying factors
- Device identifiers and serial numbers details;
- Web Uniform Resource Locators (URLs)
- Biometric identifiers such as finger, retinal and voice prints
- Full face photographic images and any comparable pictures
- Any other unique identifying number, characteristic, or code apart from the unique code assigned by the investigator to code the data