Search within:

Protected Health Information

Definition: Protected Health Information (PHI) is defined as individually identifiable health information that relates to the following:

  • Past, present, or future physical or mental health or condition of an individual.

  • Provision of health care to the individual by a covered entity (i.e. hospital or physician).

  • Past, present, or future payment for provision of health care to the individual.

Governing Authority: Health Insurance Portability and Accountability Act (HIPAA)

Responsible Operating Unit: Legal Affairs

Examples: Data elements that when combined with health information about that person, make such information protected health information (PHI): names, telephone numbers, fax numbers, email addresses, social security numbers, medical record numbers, health plan beneficiary numbers, licenses plate numbers, URLs, full face photographic images, or any other unique identifying number, characteristic, code, or combination that allows identification of an individual.

Special Considerations: Researchers must be aware that health and medical information about research subjects may also be regulated by HIPAA.

List of IT Services & Tools

For the definition of terms related to the categories below, please reference the Glossary of Permission Levels.

Acceptable IT Services & Tools:

  • Qualtrics

  • REDCap

    • Note: To utilize the MyCap app with HIPAA Data you must first consult with the information security office.

Consultation Required:

  • OnBase - With OIT consultation.

  • OneDrive/M365 Groups - With OIT consultation and Group setup according to the Storing Sensitive Data within OneDrive Standard.

  • NAS departmental shared storage ( - With OIT consultation to ensure data encryption.

  • NAS individual home storage ( - With OIT consultation to ensure data encryption.

Not Permitted IT Services & Tools:

  • Blackboard

  • OneDrive/M365 individual accounts

  • PeopleSoft

  • Personal cloud storage accounts

  • Personal/Non-University owned devices

If you don't see the IT service or tool listed that you wish to use to store data classified as medium or high sensitivity, contact Information Security to determine if it's appropriate for your data type.