Skip to Main Content

Digital Assets Management (DAM) System

Guide for OHSU Library's DAM System

Images and PHI

Please know that you are responsible for maintaining the confidentiality of any images that contain Protected Health Information (PHI).

PHI is any information which was created, used, or disclosed in the course of providing a health care service and can be used to identify a patient. This includes images. PHI is protected under HIPAA and all students, faculty, & staff who come into contact with Protected Health Information are obligated to follow HIPAA compliance guidelines regarding how to avoid disclosing it in order meet the requirements of the law.

Types of Protected Health Information

In order for health data to be considered PHI and regulated by HIPAA it needs to be two things:

  • Personally identifiable to the patient
  • Used or disclosed to a covered entity during the course of care

Types of PHI include:

  1. Names
  2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
  3. Dates (other than year) directly related to an individual
  4. Phone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate number
  13. Device identifiers and serial numbers
  14. Web Uniform Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger, retinal and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

OHSU Employee & Student Information

OHSU employee and student information is not considered PHI. However, a HIPAA authorization form must be obtained before PHI is disclosed and media release forms are required to use OHSU member information. It is the responsibility of the individual uploading images to the DAM to ensure that proper permissions have been granted to use images of OHSU employees and students, including media release authorization for OHSU staff and students and HIPAA authorization for the use of PHI. 

  • A signed media release form is required for employees who appear in images and is obtained at the time the photo is taken.
  • The OHSU registrar requires a signed media release form from students upon enrollment.