Health Insurance Portability and Accountability Act

Protected Health Information
PHI is any information pertaining to

the past, present, or future physical or mental health or condition of an individual;
the provision of health care to an individual; or
the past, present, or future payment for the provision of health care to an individual.

PHI may be information that is recorded electronically, on paper, or orally.
PHI may concern living people or dead people (referred to in the law as "decedents").
PHI does not include de-identified information or biological tissue with no accompanying information, such as an accession number or code number, that may be linked to an identifier.

Protected Health Information
There are three categories of health information. The authorization requirements for use are different for each.

Individually Identifiable Health Information (IIHI): includes any subset of health information, including demographic information collected from an individual, that:
- Is created or received by a health care provider, health plan, employer, or health care clearinghouse (an organization that codes health data);
- Relates to the past, present or future physical or mental health or condition, the past, present or future provision of care to an individual, or the past, present or future payment for the provision of health care to an individual; and,
- Identifies the individual (or there is a reasonable basis to believe that the information can be used to identify the individual.)
An authorization signed by the research subject is almost always required for the disclosure of individually identifiable health information.
De-Identified Information: Health information is considered de-identified when it does not identify an individual and the covered entity has no reasonable basis to believe that the information can be used to identify an individual. Information is considered de-identified if 18 identifiers are removed from the health information and if the remaining health information could not be used alone, or in combination, to identify a subject of the information. The identifiers include the following:
- names,
- geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and equivalent geocodes, except for the initial three digits of a zip code if the geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people
- all elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89,
- telephone numbers,
- fax numbers,
- electronic mail addresses,
- Social Security numbers,
- medical record numbers,
- health plan beneficiary numbers,
- account numbers,
- certificate/license numbers,
- vehicle identifiers and serial numbers, including license plate numbers,
- device identifiers and serial numbers,
- Web Universal Resource Locator (URL),
- biometric identifiers, including finger or voice prints,
- full face photographic images and any comparable images,
- Internet Protocol address numbers
- any other unique identifying number characteristic or code
Limited Data Set: A limited data set is information disclosed by a covered entity to a researcher who has no relationship with the individual whose information is being disclosed. The covered entity is permitted to disclose PHI, with direct identifiers removed, subject to obtaining a data use agreement from the researcher receiving the limited data set. A data use agreement specifies permitted uses and disclosures, specifies who may use or receive the data set, restricts further use and disclosure, and restricts re-identification of the data or contact with the individuals.
Direct identifiers that must be removed from the information for a limited data set are:
- name,
- address information (other than city, State, and zip code),
- telephone and fax numbers,
- e-mail address,
- Social Security number,
- certificate/license number,
- vehicle identifiers and serial numbers,
- URLs and IP addresses,
- full face photos and other comparable images,
- medical record numbers, health plan beneficiary numbers, and other account numbers,
- device identifiers and serial numbers,
- biometric identifiers including finger and voice prints.
Identifiers that are allowed in the limited data set are:
- admission, discharge and service dates,
- birth date,
- date of death,
- age (including age 90 or over),
- geographical subdivisions such as state, county, city, precinct and five digit zip code.

requirements for authorization
The HIPAA regulations use the term "authorization" to describe the process through which a patient allows researchers to access protected health information. The authorization for disclosure and use of protected health information may be combined with the consent form that a research subject signs before agreeing to be in a study. It may also be a separate form.
In either case, the information must include:

a description of the information to be used for research purposes;
who may use or disclose the information
who may receive the information
purpose of the use or disclosure
expiration date or event (if the information will be kept indefinitely, the authorization states that there is no expiration date)
individual's signature and date
right to revoke authorization
right to refuse to sign authorization (if this happens, the individual may be excluded from the research and any treatment associated with the research)
if relevant, that the research subject's access rights are to be suspended while the clinical trial is in progress, and that the right to access PHI will be reinstated at the conclusion of the clinical trial.

Blanket authorizations for research to be conducted in the future are not permitted. Each new use requires a specific authorization.