Protected Health Information (HIPAA)

Protected Health Information (PHI) is defined by the Health Insurance Portability and Accountability Act (HIPAA). PHI is individually identifiable health information that relates to the

  • Past, present, or future physical or mental health or condition of an individual.
  • Provision of health care to the individual by a covered entity (for example, hospital or doctor).
  • Past, present, or future payment for the provision of health care to the individual.

Researchers should be aware that health and medical information about research subjects may also be regulated by HIPAA. Researchers can contact the U-M Health System (UMHS) Compliance Office with questions.

Frequently Used by: 
Faculty
Staff
Researchers
Category: 
Sensitive
Examples: 

The following individually identifiable data elements, when combined with health information about that person, make such information protected health information (PHI):

  • Names
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • License plate numbers
  • URLs
  • Full-face photographic images
  • Any other unique identifying number, characteristic, code, or combination that allows identification of an individual 
Andrew File System (AFS): 
Not Permitted
BlueJeans Video Conferencing: 
Permitted
Canvas: 
Not Permitted
Cloud Storage Included with Software: 
Not Permitted
CTools: 
Permitted
Data Warehouse: 
Not Permitted
Desktop Backup (Powered by CrashPlan): 
Permitted
Desktop Virtualization (VDI): 
Permitted
Digital Signage: 
Not Permitted
Echo360 - Lecture Capture and LectureTools: 
Not Permitted
eResearch: 
Not Permitted
Flux: 
Not Permitted
Globus: 
Not Permitted
ITS Exchange Email and Calendar: 
Not Permitted
M Cloud - Amazon Web Services GovCloud: 
Not Permitted
M Cloud - Amazon Web Services (AWS): 
Not Permitted
Box Additional Apps (Non-Core): 
Not Permitted
Box at U-M Core Apps: 
Permitted
Google Additional Services (Non-Core): 
Not Permitted
Google Drive at U-M: 
Not Permitted
Google Mail and Calendar at U-M and Inbox by GMail: 
Not Permitted
Google Sites, Talk/Hangouts, Groups, Tasks, Classroom at U-M: 
Not Permitted
MiDatabase: 
Permitted
MiServer: 
Permitted
MiShare: 
Permitted
MiStorage with CIFS: 
Permitted
MiStorage with NFS: 
Not Permitted
MiVideo: 
Not Permitted
MiWorkspace: 
Permitted
Personal Accounts (Dropbox, OneDrive, iCloud, etc.): 
Not Permitted
Personally Owned Devices (phone, tablet, laptop, etc.): 
Permitted
Qualtrics: 
Permitted
ServiceLink: 
Permitted
Statistics and Computation Service: 
Not Permitted
MiBackup: 
Permitted
Turbo Research Storage with NFS: 
Not Permitted
Turbo Research Storage with NFSv4+Kerberos or CIFS: 
Permitted
UMHS Exchange/Outlook Email and Calendar: 
Permitted
Armis: 
Permitted
Imaging Services: 
Not Permitted

Don't see the service you need? Contact the ITS Service Center.