Asthma Registry Data and HIPAA: What Counts as PHI and How to Stay Compliant

Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert

Asthma Registry Data and HIPAA: What Counts as PHI and How to Stay Compliant

Kevin Henry

HIPAA

January 11, 2026

9 minutes read
Share this article
Asthma Registry Data and HIPAA: What Counts as PHI and How to Stay Compliant

Asthma Surveillance Data Overview

Asthma registries aggregate clinical, administrative, and environmental information to track outcomes, improve care quality, and support public health surveillance. You might capture demographics, diagnosis codes (for example, J45.x), spirometry values (FEV1, FEV1/FVC), controller and rescue medications, exacerbations, emergency visits, hospitalizations, and adherence indicators.

Data often flow from electronic health records, claims, pharmacies, school health programs, and sometimes connected devices such as smart inhalers or peak-flow meters. Because these sources can directly or indirectly identify people, Asthma Registry Data and HIPAA intersect at every step—from intake and integration to reporting and research.

Why HIPAA matters for asthma surveillance

  • Most registry data originate with covered entities or their business associates, making much of it Protected Health Information (PHI) before de-identification.
  • Use cases—care coordination, quality improvement, public health, or research—determine which HIPAA pathway applies (authorization, public health disclosure, waiver, limited data set, or de-identified data).
  • Applying the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule correctly protects individuals and your program.

Definition of Protected Health Information

Protected Health Information (PHI) is individually identifiable health information created or received by a covered entity or business associate that relates to an individual’s health status, provision of care, or payment for care. PHI can exist in any medium—electronic, paper, or oral. If a registry receives such data from a covered entity or its business associate, the information is PHI unless it has been de-identified under HIPAA standards.

What is not PHI

  • Data that meet HIPAA’s de-identification standard (via Safe Harbor or Expert Determination).
  • Education records covered by FERPA and employment records held by a covered entity in its role as employer.
  • Aggregated statistics that cannot reasonably identify an individual (for example, county-level asthma hospitalization rates with appropriate suppression rules).

When asthma registry data become PHI

If your registry receives patient-level records containing identifiers (direct or indirect) from clinics, hospitals, plans, or their vendors, the dataset is PHI. This includes device telemetry tied to a patient account, free-text notes with names or dates, and encounter logs linked to specific individuals.

Identifiers Constituting PHI

Under HIPAA’s Safe Harbor, PHI includes records with any of these 18 identifiers of the individual or of relatives, employers, or household members:

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

  • Names.
  • Geographic subdivisions smaller than a state (for example, street address, city, county, precinct, and most ZIP codes).
  • All elements of dates (except year) directly related to an individual, and ages over 89 (unless aggregated into 90+).
  • Telephone numbers.
  • Fax numbers.
  • Email addresses.
  • Social Security numbers.
  • Medical record numbers.
  • Health plan beneficiary numbers.
  • Account numbers.
  • Certificate or license numbers.
  • Vehicle identifiers and serial numbers, including license plates.
  • Device identifiers and serial numbers.
  • Web URLs.
  • IP address numbers.
  • Biometric identifiers (for example, fingerprints, voiceprints).
  • Full-face photographs and comparable images.
  • Any other unique identifying number, characteristic, or code that could identify the individual.

Asthma-specific examples

  • Smart inhaler serial numbers paired with usage logs are device identifiers and PHI if linked to a person.
  • Geocoded home addresses used for environmental exposure mapping are PHI unless transformed to meet de-identification standards.
  • Clinician notes referencing a patient’s school and exact dates of exacerbations can re-identify individuals when combined with small population sizes.

De-Identified Data and Its Use

De-Identified Data are not PHI and fall outside the HIPAA Privacy Rule. You can create de-identified asthma datasets using either method:

Safe Harbor method

  • Remove all 18 HIPAA identifiers, including most granular geographies and all elements of dates except year.
  • Ensure no actual knowledge remains that the data could identify an individual when combined with other available information.

Expert Determination method

  • A qualified expert uses accepted statistical or scientific principles to determine that the risk of re-identification is very small.
  • Often enables retention of more utility (for example, 3-digit ZIP codes or month-level dates) with documented risk controls.

Good practices for asthma registries using de-identified data

  • Apply suppression and generalization rules for small cells (for example, counts under a chosen threshold).
  • Remove or tokenize free text to eliminate latent identifiers.
  • Evaluate recombination risks when releasing multiple extracts over time or joining to external environmental datasets.
  • Maintain a re-identification code key, if needed for linkage, in a separate, access-controlled environment.

Limited Data Sets Under HIPAA

A Limited Data Set (LDS) is PHI with specific direct identifiers removed. It may include city, state, ZIP code, and full dates (for example, birth, admission, discharge, death), which increases analytic value for asthma surveillance while retaining privacy safeguards.

Permitted purposes and conditions

  • Use and disclosure are limited to research, public health, or health care operations.
  • A Data Use Agreement must be in place with the recipient before disclosure.
  • Street address, phone, email, Social Security number, medical record number, and similar direct identifiers must be excluded.

Asthma registry examples

  • Maintaining month and day of exacerbations to evaluate seasonality and air-quality impacts.
  • Using ZIP code to study neighborhood-level access to controller medications.
  • Sharing LDS with a university partner for outcomes research under a Data Use Agreement.

HIPAA Compliance Requirements for Registries

HIPAA Privacy Rule

  • Establish your legal basis for each flow of PHI: patient authorization, IRB/Privacy Board waiver, public health authority disclosure, limited data set with DUA, or de-identified data.
  • Apply the minimum necessary standard and role-based access to asthma registry fields.
  • Execute Business Associate Agreements when vendors create, receive, maintain, or transmit PHI on your behalf.
  • Provide accounting of disclosures when required and maintain retention schedules for documentation.

HIPAA Security Rule (for ePHI)

  • Perform and document a risk analysis; implement risk management and ongoing evaluation.
  • Administrative safeguards: policies, workforce training, sanctions, contingency plans, vendor oversight.
  • Physical safeguards: facility access controls, workstation/device protections, secure media disposal.
  • Technical safeguards: unique user IDs, multi-factor authentication, access controls, audit logs, integrity checks, and encryption commensurate with risk (in transit and at rest).
  • Data lifecycle controls: secure ingestion, de-identification pipelines, tokenization, and segregation of re-identification keys.

HIPAA Breach Notification Rule

  • Assess incidents for a breach of unsecured PHI using the four-factor risk assessment (data sensitivity, unauthorized recipient, whether data were actually acquired/viewed, and mitigation).
  • Notify affected individuals, HHS, and when applicable the media without unreasonable delay and within required timeframes.
  • Maintain incident logs, corrective actions, and improvement plans to reduce recurrence.

Data Use Agreements and Privacy Safeguards

Essential elements of a Data Use Agreement

  • Permitted uses and disclosures of the Limited Data Set (for example, specified asthma outcomes research).
  • Authorized recipients and allowed agents or subcontractors.
  • Requirements to use appropriate safeguards and prevent unauthorized use or disclosure.
  • Obligations to report non-permitted uses/disclosures and cooperate in remediation.
  • Prohibitions on re-identification or contacting individuals.
  • Return or destruction of the data upon completion or when no longer needed.
  • Oversight, audit rights, and consequences for non-compliance.

DUA vs. BAA

A Data Use Agreement governs how a Limited Data Set may be used or disclosed by the recipient. A Business Associate Agreement is required when a vendor or partner performs functions involving PHI on your behalf. Many asthma registries need both—BAAs for operational vendors and DUAs for sharing an LDS with research or public health partners.

Operational privacy safeguards for asthma registries

  • Data minimization: collect only fields necessary for the stated purpose; prefer de-identified data when feasible.
  • Strong identity and access management with least-privilege roles and time-bound access.
  • Audit logging and regular review of data extracts, downloads, and API activity.
  • Secure coding and data engineering practices, including validation of incoming files and redaction of free text.
  • Aggregation and suppression rules in public reporting to prevent re-identification via small counts.
  • Documented retention and disposal schedules for raw PHI, LDS, and derived datasets.

Conclusion

Managing Asthma Registry Data and HIPAA compliance hinges on knowing what constitutes PHI, removing or controlling identifiers, and choosing the correct pathway—de-identified data, a Limited Data Set with a Data Use Agreement, or another lawful basis. By aligning your privacy program with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, you protect individuals while preserving the analytic value needed to improve asthma outcomes.

FAQs

What types of asthma registry data are considered PHI?

Any patient-level information that can identify an individual and relates to health status, care, or payment is PHI. In asthma registries, that includes names, addresses, full dates, medical record numbers, device serial numbers linked to a person, contact details, claim identifiers, and free-text notes containing identifiers. Even environmental exposure fields can be PHI when tied to a specific person or household.

How can registries ensure compliance with HIPAA?

Map each data flow to a legal basis under the HIPAA Privacy Rule, apply minimum necessary access, and execute required BAAs and DUAs. Implement Security Rule safeguards—risk analysis, technical controls, encryption based on risk, monitoring, and training. Prepare for incidents under the HIPAA Breach Notification Rule, and prefer de-identified data or Limited Data Sets when full identifiers are not essential.

What is the difference between de-identified data and limited data sets?

De-identified data are not PHI and meet HIPAA’s Safe Harbor or Expert Determination standard, removing the 18 identifiers or proving very small re-identification risk. A Limited Data Set is still PHI but excludes specific direct identifiers while allowing city, state, ZIP code, and full dates; it can be used for research, public health, or operations only with a Data Use Agreement.

How are data use agreements applied in asthma registries?

Registries use Data Use Agreements when disclosing a Limited Data Set to a partner. The DUA specifies permitted uses (for example, analyzing seasonal exacerbations), identifies authorized users, mandates safeguards, prohibits re-identification and contacting individuals, requires reporting of any misuse, and sets terms for returning or destroying the data once the project ends.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles