3

Can a person's name, date of birth and proprietary ID be considered as PHI?

Ex: Joe Doe, 11/25/1955, 45698745236.

schroeder
  • 123,438
  • 55
  • 284
  • 319
mxarun
  • 31
  • 1
  • 2

3 Answers3

4

Yes, they can - but not only due to name and DOB. Those alone only constitute personally identifiable information (PII).

However, combined with a unique identifier that can be used to link to health information, the data set could be classified as protected health information (PHI). For example, if the proprietary ID is a primary key that links tables in a database (housing PHI), then the combination is PHI. HIPAA states PHI may be but is not limited to 18 different identifiers, including:

Unique identifying number, characteristic, or code - This is considered PHI when the assigned code can potentially be linked to individually identifiable health information

Reference: https://www.unthsc.edu/research/protection-of-human-subjects/hippa-guidelines-and-templates/which-identifiers-are-considered-protected-health-information-phi/

I've found best practice is to eliminate as much health-related information as possible and replace DOB with another unique identifier (e.g. masked phone number or email). A good idea in this case is to use only the name and masked phone (e.g. Joe Doe, '''-'''-1234 but that may depend on the use case.

7YR43L
  • 41
  • 7
3

No. Name, date of birth, and a unique identifier, in isolation, do not constitute protected health information because they do not meet the definition of "health information" as defined in the Health Insurance Portability and Accountability Act of 1996, Pub.L. 104โ€“191, 110 Stat. 1936, ยง 262(a)(4):

(4) Health information.--The term 'health information' means any information, whether oral or recorded in any form or medium, that--

(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

schroeder
  • 123,438
  • 55
  • 284
  • 319
khaullen
  • 131
  • 1
2

Yes. Specifically the name and date of birth. I'm unsure what you mean by proprietary ID. If you mean their health insurance account number or something similar, this is included as well.

You can find a full guideline on HIPAA's website, HIPPA - What protected health information does PHI include?

  • 1
    what i meant by ID is not an account number but internal ID for the patient. Wouldnt mean anything to anyone outside the company, just bunch of numbers. โ€“ mxarun Nov 13 '15 at 00:52
  • 1
    Internal IDs are acceptable as long as they do not contain any PHI for whatever reason. โ€“  Nov 13 '15 at 00:53