*** Welcome to piglix ***

Protected health information


Protected health information (PHI) under US law is any information about health status, provision of health care, or payment for health care that is created or collected by a "Covered Entity" (or a Business Associate of a Covered Entity), and can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient's medical record or payment history.

PHI is often sought out in datasets for de-identification before researchers share the dataset publicly. When researchers remove PHI from a dataset they do so in an attempt to preserve privacy for research participants.

Under the US Health Insurance Portability and Accountability Act (HIPAA), PHI that is linked based on the following list of 18 identifiers must be treated with special care:

Anonymization is a process in which PHI elements are eliminated or manipulated with the purpose of hindering the possibility of going back to the original data set. This involves removing all identifying data to create unlinkable data.De-identification under the Health Insurance Portability and Accountability Act Privacy rule occurs when data has been stripped of common identifiers by two methods:

De-identified data is coded, with a link to the original, fully identified data set kept by an honest broker. Links exist in coded de-identified data making the data considered indirectly identifiable and not anonymized. Coded de-identified data is not protected by the HIPAA Privacy Rule, but is protected under the Common Rule. The purpose of de-identification and anonymization is to use health care data in larger increments, for research purposes. Universities, government agencies, and private health care entities use such data for research, development and marketing purposes.

Covered Entities

In general, US law governing PHI applies to data collected in the course of providing and paying for healthcare. Privacy and Security regulations govern how doctors, hospitals, health insurers and other Covered Entities use and protect the data they collect. It is important to understand that the source of the data is as relevant as the data itself when determining if something is PHI under US law. For example, you may observe someone on the street with an obvious medical condition such as an amputation. US law does NOT restrict you from using or sharing that information. However, if you had obtained information about the amputation exclusively from a protected source, such as from an electronic medical record, the data would be protected.


...
Wikipedia

...