Health Insurance Portability and Accountability Act of 1996:

A Federal law imposed on all health care organizations including hospitals, physician offices, home health agencies, nursing homes, and other providers, as well as health plans and clearinghouses, protects patient health information.

  • Its main purpose is to make sure that Protected Health Information (PHI) is properly handled.
  • HIPAA tells us how we must process and protect our patient information.
  • It also says that if we transmit PHI electronically, we must do it in a standard way.
  • Under HIPAA patients have new rights that we must inform them about.

HIPAA rules require us to:

  • Treat all things we learn about patients as confidential - We can’t tell anyone else
  • Provide more control to patients over their personal health information
  • Punish those who misuse patient information by imposing criminal & civil penalties

OpenSpecimen PHI Fields

Any information that uniquely identifies a patient is Protected Health Information (PHI).

OpenSpecimen includes the following PHI fields:

ObjectField Name

Name (first, last, middle)


Date of Birth


Social Security Number


Registration Date


Death Date


Medical Record Number


Email ID


Consent File


Master Patient Index

VisitSurgical Pathology Number

Below are some of the other fields which are considered PHI but not present in the OpenSpecimen default model. If you add these as custom fields, we recommend marking them as PHI so that only restricted users get access to it:

  • Address (all geographic subdivisions smaller than the state, including street address, city county, and zip code)
  • Telephone numbers
  • Fax number
  • Health plan beneficiary number
  • Account number
  • Certificate or license number
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Finger or voice print
  • Photographic image - Photographic images are not limited to images of the face.
  • Any other characteristic that could uniquely identify the individual


  1. Share PHI data securely with files encrypted with passwords. 
  2. If screenshots are taken from production, mask the PHI information using graphic editors like 'Paint'.
  3. The right to access PHI data should only be given to selective users of a system. (Eg: Super-administrators, Site Administrators in OpenSpecimen)
  4. if PHI is sent insecurely by mistake, destroy it immediately. Don't forward/reply to such emails, remove the PHI content before you have to do.


  1. Don't send passwords of client-side OpenSpecimen application which has real data over emails.
  2. Don't send screenshots over email or update Jira/Wiki/Forums with screenshots having real data.
  3. Don't store real data on local machines. Even if done, remove after work done.
  4. Never share your credentials with anyone.
  5. Do not share PHI over email or public servers or 3rd party tools like google drive/dropbox. If required, use secure servers to share the data.

Civil monetary penalties

Failure to comply with HIPAA can result in civil and criminal penalties:

1. Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.
$100-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
2. The HIPAA violation had a reasonable cause and was not due to willful neglect.
$1,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
3. The HIPAA violation was due to willful neglect but the violation was corrected within the required time period.
$10,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year
4. The HIPAA violation was due to willful neglect and was not corrected.
$50,000 or more for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year

Criminal penalties

TierPotential jail sentence
Unknowingly or with reasonable cause
Up to one year
Under false pretencesUp to five years
For personal gain or malicious reasons
Up to ten years