Protected Health Information (HIPAA)

Protected Health Information (PHI) is defined by the Health Insurance Portability and Accountability Act (HIPAA). PHI is individually identifiable health information that relates to the

  • Past, present, or future physical or mental health or condition of an individual.
  • Provision of health care to the individual by a covered entity (for example, hospital or doctor).
  • Past, present, or future payment for the provision of health care to the individual.
Researchers should be aware that health and medical information about research subjects may also be regulated by HIPAA. Researchers can contact the U-M Health System (UMHS) Compliance Office with questions.

Frequently Used by: 

Faculty
Staff
Researchers

Category: 

Sensitive

Examples: 

The following individually identifiable data elements, when combined with health information about that person, make such information protected health information (PHI):

  • Names
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • License plate numbers
  • URLs
  • Full-face photographic images
  • Any other unique identifying number, characteristic, code, or combination that allows identification of an individual
     

Andrew File System (AFS): 

Not Permitted

Blue Jeans Video Conferencing: 

Permitted

Canvas: 

Not Permitted

Cloud Storage Included with Software: 

Not Permitted

CTools: 

Permitted

Data Warehouse: 

Not Permitted

Desktop Backup (Powered by CrashPlan): 

Permitted

Desktop Virtualization (VDI): 

Permitted

Digital Signage: 

Not Permitted

Echo360 - Lecture Capture and LectureTools: 

Not Permitted

eResearch: 

Not Permitted

Flux: 

Not Permitted

Globus: 

Not Permitted

ITS Exchange Email and Calendar: 

Not Permitted

M Cloud - Amazon Web Services GovCloud: 

Not Permitted

M Cloud Amazon Web Services (AWS): 

Not Permitted

M+Box Additional Apps (Non-Core): 

Not Permitted

M+Box Core Apps: 

Permitted

M+Google Additional Services (Non-Core): 

Not Permitted

M+Google Drive: 

Not Permitted

M+Google Mail and Calendar: 

Not Permitted

M+Google Sites, Talk/Hangouts, Groups, Tasks, Classroom: 

Not Permitted

MiDatabase: 

Permitted

MiServer: 

Permitted

MiShare: 

Permitted

MiStorage (for Some Sensitive Data) with CIFS: 

Permitted

MiStorage with NFS: 

Not Permitted

MiVideo: 

Not Permitted

MiWorkspace: 

Permitted

Personal Accounts (Dropbox, OneDrive, iCloud, etc.): 

Not Permitted

Personally Owned Devices (phone, tablet, laptop, etc.): 

Permitted

Qualtrics: 

Permitted

ServiceLink: 

Permitted

Sitemaker: 

Not Permitted

Statistics and Computation Service: 

Not Permitted

TSM Backup: 

Permitted

Turbo Research Storage with NFS: 

Not Permitted

Turbo Research Storage (for Some Sensitive Data) with NFSv4+Kerberos: 

Permitted

UMHS Exchange/Outlook Email and Calendar: 

Permitted

Virtualization as a Service (VaaS): 

Permitted

Armis: 

Permitted