Protected Health Information (PHI, regulated by HIPAA)

Data Classification Level: High

Key: Permission Levels

  • Permitted
  • Permitted with Information Assurance (IA) Consultation
  • Not Permitted

For IA consultation, please contact the ITS Service Center

Protecting sensitive data is a shared responsibility. You are responsible for ensuring that your use of permitted services complies with laws, regulations, and policies where applicable.

Permitted

Permitted with IA Consultation

Not Permitted

Data Type Description 

Protected Health Information (PHI) is regulated by the Health Insurance Portability and Accountability Act (HIPAA). PHI is individually identifiable health information that relates to the

  • Past, present, or future physical or mental health or condition of an individual.
  • Provision of health care to the individual by a covered entity (for example, hospital or doctor).
  • Past, present, or future payment for the provision of health care to the individual.

Researchers should be aware that health and medical information about research subjects may also be regulated by HIPAA.

Data Steward: Michigan Medicine Corporate Compliance: [email protected]

Examples 

The following individually identifiable data elements, when combined with health information about that person, make such information protected health information (PHI):

  • Names
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • License plate numbers
  • URLs
  • Full-face photographic images
  • Any other unique identifying number, characteristic, code, or combination that allows identification of an individual 

Laws/Regulations/Policies 

U.S. Dept of Health HIPAA website
Health and Human Services Information for Covered Entities
Michigan Medicine Compliance
U-M Ethics, Integrity & Compliance

Additional Resources 

Using ITS HIPAA-Aligned Services: What U-M Units Need to Know
ITS Suite of HIPAA Policies
Andrew File System (AFS): 
Not Permitted
Canvas: 
Not Permitted
Cloud Storage Included with Software: 
Not Permitted
Data Warehouse: 
Not Permitted
Desktop Backup (Powered by Code42): 
Permitted
MiDesktop: 
Permitted
Digital Signage: 
Not Permitted
Echo360 - Lecture Capture and LectureTools: 
Not Permitted
eResearch: 
Not Permitted
Globus: 
With Approval
Amazon Web Services GovCloud at U-M: 
Not Permitted
Amazon Web Services (AWS) at U-M: 
Not Permitted
Google Non-Core Services: 
Not Permitted
Google Drive at U-M: 
Not Permitted
Google Mail and Calendar at U-M: 
Not Permitted
Google at U-M Core Services: 
Not Permitted
MiDatabase: 
Permitted
MiServer: 
Permitted
MiShare: 
Permitted
MiStorage CIFS with AWS S3 Cloud Storage Integration: 
Permitted
MiStorage (NFS): 
Not Permitted
MiVideo: 
Not Permitted
MiWorkspace: 
Permitted
Personal Accounts: 
Not Permitted
Personally Owned Devices (phone, tablet, laptop, etc.): 
Permitted
Qualtrics: 
Permitted
ServiceNow at Michigan Medicine: 
Permitted
MiBackup: 
Permitted
Turbo Research Storage (NFS): 
Not Permitted
Turbo Research Storage (NFSv4+Kerberos or CIFS): 
Permitted
Michigan Medicine Exchange/Outlook Email and Calendar: 
Permitted
Document Imaging System: 
Permitted
E-signature Service - SignNow: 
Permitted
Piazza Q&A: 
Not Permitted
Gradescope: 
Not Permitted
Electronic Research Notebook at U-M: 
Permitted
Microsoft Azure at U-M: 
Not Permitted
Google Cloud Platform at U-M: 
Not Permitted
Perusall: 
Not Permitted
Secure Enclave Service (formerly Yottabyte Research Cloud): 
Permitted
Microsoft Office 365 at U-M: 
Not Permitted
Armis2: 
With Approval
Great Lakes Cluster: 
Not Permitted
Adobe Cloud Storage: 
Not Permitted
Zoom at U-M: 
Permitted
TeamDynamix at U-M: 
Permitted
Dropbox at U-M: 
Permitted
Virtru at U-M: 
Not Permitted
Microsoft Teams at U-M: 
Not Permitted
Denodo at U-M: 
Permitted
Slack at U-M: 
Not Permitted
Microsoft 365 at Michigan Medicine: 
Permitted
Lighthouse HPC Cluster: 
Not Permitted
MyDataHelps: 
Permitted
REDCap MICHR Academic License: 
Permitted
GitHub Enterprise SaaS: 
Not Permitted