Protected Health Information (HIPAA)

Protected Health Information (PHI) is applicable to covered entities. For any data deemed PHI, please contact Sharalyn Rasmussen at smreed@ucdavis.edu, the HIPAA privacy officer for UC Davis Health or Molly Theodossy at mmtheodossy@ucdavis.edu, the HIPAA privacy officer for campus.

PHI is defined by the Health Insurance Portability and Accountability Act (HIPAA). PHI is individually identifiable health information that relates to:

  • The past, present or future physical or mental health conditions of an individual.
  • The provision of health care to the individual by a covered entity (for example, hospital or doctor).
  • The past, present or future payment for the provision of health care to the individual.

Any stored PHI must be encrypted at all times, in transit and at rest.

PHI can be shared with individuals identified by the patient and the patient's health care provider unless specified by the patient. PHI may be used for the patient's treatment, for the doctor's payment and to ensure doctor's quality of care, to protect the public's health and to make required reports to the police. 

A patient's health information can be shared if it is de-identified, meaning all of the identifying information has been removed. De-identification must follow the HIPAA Privacy Rule's standard of de-identification.

Examples: 

The following individually identifiable data elements, when combined with health information about that person, make such information protected health information (PHI):

  • Names
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • License plate numbers
  • URLs
  • Full-face photographic images
  • Any other unique identifying number, characteristic, code, or combination that allows identification of an individual

However, health information that does not include individually identifiable data elements are not PHI. For example, symptoms listed with a patient's age and no other information is not considered PHI.