Privacy Rule

• Any identifying health care information concerning an individual's past, present or future mental or physical condition, regardless of the type of record -- such as paper, fax, oral or written -- is Protected Health Information (PHI) and must be redacted from any records disclosed to a third party.
  
  

Limited Data Set

• When direct identifiers, such as name, Social Security Number, address, photos, account numbers and biometric identifiers, are "de-identified" (redacted), "limited data set" information, such as admission date, date of birth or death, age and ZIP code can be disclosed only for authorized public health, research and health care operations purposes.
  
  

Safe Harbor Standard

• Information is "de-identified" if the direct identifiers have been removed and there is no reasonable basis to believe that the remaining information could be used, alone or in conjunction with any other information, to identify an individual.