1.4 · HIPAA Basics
What Counts as Protected Health Information
Protected Health Information is the type of data HIPAA actually protects. Knowing exactly what counts and what does not is essential, because everything else in compliance hinges on this question. The same field can be regulated or unregulated depending on what else sits next to it on the page.
The definition
Protected Health Information is any information that satisfies both of the following:
- It identifies a specific person.
- It relates to that person’s past, present, or future physical or mental health, the provision of healthcare to them, or the payment for that care.
The identifying part is the trigger. A diagnosis on its own, with no name attached, is not Protected Health Information. A diagnosis on a page that also carries a name, a date of birth, or any of the other identifiers below becomes Protected Health Information the moment those two things appear together. Strip every identifier and what remains is no longer regulated.
The eighteen identifiers (HIPAA Safe Harbor)
HIPAA enumerates eighteen specific identifiers in its Safe Harbor de-identification rule. If a piece of data carries any of these and is tied to health information, it is Protected Health Information. If you remove all eighteen, the remainder is considered de-identified and can be used freely.
| # | Identifier | What it covers |
|---|---|---|
| 1 | Names | First, last, nickname, family member names. |
| 2 | Geographic detail smaller than a state | Street, city, county, ZIP code under specific conditions. |
| 3 | Dates tied to an individual | Birth, admission, discharge, death, and all ages over 89. |
| 4 | Phone numbers | Mobile, landline, fax. |
| 5 | Email addresses | Parent, learner, caregiver. |
| 6 | Social Security numbers | Any portion. |
| 7 | Medical record numbers | MRN, chart number, intake number. |
| 8 | Health plan beneficiary numbers | Medicaid recipient ID, commercial member ID. |
| 9 | Account numbers | Billing account, payment plan. |
| 10 | Certificate or license numbers | Driver license, professional license tied to a patient. |
| 11 | Vehicle identifiers | Plate numbers, VIN if tied to a patient. |
| 12 | Device identifiers and serials | Communication device, AAC device, sensor. |
| 13 | Web URLs | Patient portal links containing identifiers. |
| 14 | IP addresses | Logged sessions tied to a patient. |
| 15 | Biometric identifiers | Fingerprints, voiceprints, facial geometry. |
| 16 | Full-face photos and comparable images | Therapy photos, intake photos. |
| 17 | Any other unique identifier | Internal codes that, with effort, point back to a person. |
| 18 | Genetic information | Family history, genetic test results. |
A working test
Before you put anything into this software, ask two questions:
- Does this identify a specific person?
- Does this relate to their care or its payment?
If both answers are yes, treat the data as Protected Health Information. If you are uncertain about either, treat it as Protected Health Information until proven otherwise. The cost of being too cautious is small. The cost of being wrong in the other direction is a breach.
Examples that matter for ABA
These come up often in ABA consulting and they are not always obvious.
| Example | Verdict | Why |
|---|---|---|
| Photo of a child on a clinic’s social media | Protected Health Information | Identifying (face) plus context (the clinic provides ABA care). Allowed only with a specific HIPAA-compliant release on file. |
| Parent email mentioning the child by name and describing a behavior | Protected Health Information | Identifying (name) plus relation to care (the behavior is the subject of therapy). |
| Spreadsheet of learners by initials and progress score | Treat as Protected Health Information | Initials can identify when paired with other context (clinic location, dates). |
| De-identified case study used for training | Not Protected Health Information | Every identifier on the list has been removed and the case cannot be re-identified through context. |