Protected Health Information

Protected Health Information (PHI) is defined by the Health Insurance Portability and Accountability Act (HIPAA). PHI is individually identifiable health information health information that relates to the past, present, or future physical or mental health or condition, and:

  • The provision of health care to the individual by a covered entity (e.g., hospital or doctor), and 
  • The past, present, or future payment for the provision of health care to the individual.
Researchers should be aware that health and medical information about research subjects may also be regulated by HIPAA. Researchers can contact the U-M Health System (UMHS) Compliance Office with questions.

Frequently Used by: 

Faculty
Staff
Researchers

Category: 

Sensitive

Examples: 

The following individually identifiable data elements, when combined with health information about that person, make such information protected health information (PHI):

  • Names
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • License plate numbers
  • URLs
  • Full-face photographic images
  • Any other unique identifying number, characteristic, code, or combination that allows identification of an individual
     

M+Box Core Apps: 

Not Permitted

M+Google Mail and Calendar: 

Not Permitted

M+Google Drive (Docs): 

Not Permitted

M+Google Sites, Talk, Groups, Tasks: 

Not Permitted

M+Google Additional Services (Non-Core): 

Not Permitted

UMHS Exchange Email and Calendar: 

Permitted

CTools: 

Permitted

Wolverine Access: 

Permitted

MiDatabase: 

Permitted

MiServer: 

Permitted

Desktop Virtualization (VDI): 

Permitted

TSM Backup: 

Permitted

MiWorkspace: 

Permitted

Sitemaker: 

Not Permitted

Virtualization as a Service (VaaS): 

Permitted

Value Storage: 

Not Permitted

Mainstream Storage: 

Permitted

Data Warehouse: 

Not Permitted

ITS Exchange Email and Calendar: 

Not Permitted

Desktop Backup (Powered by CrashPlan): 

Permitted

Personally Owned Devices (phone, tablet, laptop, etc.): 

Permitted

Flux: 

Not Permitted

MiShare: 

Permitted

M Cloud Amazon Web Services (AWS): 

Not Permitted

Globus: 

Not Permitted

MiVideo: 

Not Permitted

M+Box Additional Apps (Non-Core): 

Not Permitted

M Cloud - Amazon Web Services GovCloud: 

Not Permitted

Qualtrics: 

Permitted

Digital Signage: 

Not Permitted

eResearch: 

Not Permitted

Blue Jeans Video Conferencing: 

Not Permitted