ISU maintains “individually identifiable health information” in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (45 CFR Parts 160, 162, and 164). According to HIPAA, ISU is a “Hybrid Entity” which means it has specific areas, i.e., ISU health care clinics, designated to comply with the Rule. Other ISU units may have access to and/or receive certain health information and also have responsibilities under HIPAA, (for example, those units performing research and education).

The HIPAA Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).” The Security Rule calls this information “electronic protected health information (EPHI).” The Security Rule also extends to individual remote use of EPHI such as: (1) the use of portable media/devices (such as USB flash drives) that store EPHI; and (2) offsite access or transport of EPHI via laptops, personal digital assistants (PDAs), home computers, or other non corporate equipment. (See Security Guidance at: http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf)

“Individually identifiable health information” is information, including demographic data, that relates to:

·         the individual’s past, present or future physical or mental health or condition,

·         the provision of health care to the individual, or

·         the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.



Individually identifiable health information includes many common identifiers, for example:

a. Names;

b. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census the geographic unit formed by combining all zip codes with the same three initial digits contains more  than 20,000 people, and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000; 

c. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

d. Telephone numbers;

e. Fax numbers;

f. Electronic mail addresses;

g. Social security numbers;

h. Medical record numbers;

i. Health plan beneficiary numbers;

j. Account numbers;

k. Certificate/license numbers;

l. Vehicle identifiers and serial numbers, including license plate numbers;

m. Device identifiers and serial numbers;

n. Web Universal Resource Locators (URLs);

o. Internet Protocol (IP) address numbers;

p. Biometric identifiers, including finger and voice prints;

q. Full face photographic images and any comparable images; and

r. Any other unique identifying number, characteristic, or code that is derived from or related to information about the individual.

s. Referral numbers – such as interoffice referrals, healthy connection referrals etc.

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.


Permitted Uses and Disclosures. A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care

operations.18 Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.


De-Identified Health Information. There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either: 1) a formal determination by a qualified statistician; or 2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.


(See “Summary of the Privacy Rule” at http://www.hhs.gov/ocr/privacysummary.pdf, the OGC Web site’s “Health Programs Guide,” or contact the HIPAA Privacy and Security Officer. See Security Guidance at: http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf and http://www.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp#TopOfPage)