In information security, the Stanford Data Classification Guidelines is what is used to classify information as either having no risk at all, or having a low risk or having a high risk. The guidelines highlight health information as having a high risk. According to the guidelines, the Protected Health Information (PHI) is a High-Risk Data which must be protected against any form of risk. According to the guidelines, a PHI is any information relating to the past, present or future of an individual and can be used to identify the individual.
Such information must be treated with utmost privacy. It is should be encrypted and stored in encrypted devices.
When a data is used for research purposes, the law permits that a Protected Health Information (PHI) can be used if it is used anonymously. When certain personal details are omitted from the data, it can be used since it has no means of using it to identify an individual.
In order to anonymize a PHI, you must remove the 18 different identifiers from the information. These identifiers are what makes the information Protected Health Information. Once they have been removed, the information can no longer be traced to any individual.
The identifiers include:
- Full face photographic images and any comparable images
- Biometric identifiers such as finger and voice prints
- Geographic subdivisions smaller than a state
- All elements of dates directly related to an individual.
- Telephone numbers and Fax numbers
- Account numbers
- Medical record numbers
- Electronic mail addresses (Email address)
- Social security numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers such as license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers