HIPAA/PHI in Assignments


When you post an assignment that refers to your clinical experience with patients, you must remember that HIPAA privacy rules protect all information considered individually identifiable that is held in any format, including electronic and print format, and information that is transmitted (for example electronically or by mail).

Below is a list of 18 HIPAA Identifiers – each of them is considered personally identifiable information that is normally used to identify, contact, or locate a single person or can be used with other sources to reliably identify a single individual. When any part of this this information is used in health care setting or combined with diagnosis information, or with information about payment for healthcare services, it becomes Protected Health Information (PHI):

  • Name (including a part of it, e.g., actual name initials)
  • Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
  • All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone numbers
  • Fax number
  • Email address
  • Social Security Number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate or license number
  • Any vehicle or other device serial number
  • Web URL
  • Internet Protocol (IP) Address
  • Finger or voice print
  • Photographic image – Photographic images are not limited to images of the face.
  • Any other characteristic that could uniquely identify the individual

If your submission for any assignment contains any of these 18 identifiers, or even just parts of any single identifier, such as initials instead of full name, the data will be considered “identified,” and will constitute areportable HIPAA violationYou must take care to NEVER include any of this information (or any part of it) in course assignments or Typhon. Please note that once you upload a file to Canvas, or post something to a course, it can NOT be deleted.

To be considered “de-identified”, ALL of the 18 HIPAA Identifiers must be removed from your assignment before posting or uploading it. This includes all recordings (voice and video), and all photographic images, and screenshots of any electronic documentation. Note that HIPAA privacy rule protects individually identifiable health information of deceased individuals for 50 years following the date of death.

Please contact your instructor before submitting the assignment, if you have any doubts, and help us prevent HIPAA violations by carefully reviewing your assignments to verify that they do not contain any of the above information.

NOTE: This page has been adapted from Duke U. Medical School document “The 18 HIPAA Identifiers” retrieved on Jan. 18, 2018.