Skip to main content

Data Management @ NAU

Types of identifying information

The sensitivity of all identifiers described below is heightened when combined with information about:

  • illegal behaviors
  • physical/mental health information
  • other information that poses a risk to subject reputation, insurability, employability, or legal status

If you are collecting these types of information, consider obtaining a Certificate of Confidentiality that would protect you and NAU from being forced to disclose information that could identify your research subjects.

Types of identifying information Description How your research might be affected:
Personally Identifiable Information (PII) PII "refers to information that can be used to distinguish or trace an individual's identity,
  • either alone [such as name, social security number, or date and place of birth],
  • or when combined with other personal or identifying information that is linked or linkable to a specific individual" [such as medical, education, financial, or employment info].
PII is defined in OMB M-07-16 and GAO-08-536; quote is from Appendix of OMB M-10-23

Unfortunately, there's not one official list of all information that qualifies as PII, so you'll have to assess the risk of identification for every dataset you need to share.

See our list below of common examples of PII.

Protected Health Information (PHI)

[protected by HIPAA]

PHI includes all information that identifies an individual and describes his or her medical condition -- the HIPAA Privacy Rule specifies 18 elements that could identify an individual.

Patient/medical information is protected by HIPAA, the Health Insurance Portability and Accountability Act of 1996 -- the Security Rule and the Privacy Rule implement the security and privacy protections of HIPAA.

HIPAA directly regulates researchers who either:
  • Work within a "Covered Entity" (health care provider, health plan provider, or health care clearinghouse)
HIPAA indirectly regulates researchers who wish to use data from covered entities.
The Privacy Rule specifies six circumstances under which researchers can use or disclose protected health information:
  • Research participant gives written authorization for research use/disclosure
  • Institutional Review Board (IRB) gives documented approval for research use/disclosure
  • PHI in the dataset has been de-identified as defined by HIPAA
  • PHI is presented in a "Limited Data Set" as defined by HIPAA
  • Researcher is using PHI of deceased persons
  • Researcher is engaged in activities preparatory to research
(these circumstances are defined in full on HHS.gov).

Student Records

[protected by FERPA]

FERPA, the Family Educational Rights and Privacy Act of 1974, protects the privacy of a student's entire educational record. 

No information can be disclosed without student or guardian consent [with the exception of "directory" information].

For more information, please see:

Other sensitive information
  • Employee information
  • GLBA (Gramm-Leach-Billey Act) and customer information
  • Donor or alumni information
  • Financial information
If you're working with these types of data, we can put you in touch with the right people on campus for more information -- just contact us.

Common examples of PII (Personally Identifiable Information)

There's not one official list of all information that qualifies as PII, but here are some common examples:

Category Specific Examples
Unique identifying numbers social security number (SSN); passport number; driver's license number; student identification number; taxpayer identification number; patient identification number; health plan beneficiary number; financial account or credit card number
Names full name; maiden name; mother's maiden name; alias
Geographic information street address or place of birth (even ZIP codes might lead to individual identification when combined with other information)
Contact information email address; mobile, business, fax or personal phone numbers
Personal characteristics photographic image (particularly facial image); x-rays; fingerprints; other biometric image or template data (e.g., retina scan; voice signature; facial geometry)
Electronic identifiers IP address; URL address; MAC address
Property identifiers vehicle registration number or title number; medical device identifier; serial number
Specific dates (other than year) related to an individual birth date, death date; hospital admission or release dates. Year could become an identifying factor for persons over 89 years old
Indirect identifiers that could be combined with each other or information above occupation or place of work; income; education; sex or ethnicity; rare disease or treatment; name of doctor

References

Recommendations are based on:

Guidance and Procedure: Data Security in Research, UCLA Office of the Human Research Protection Program (OHRPP), last updated February 24, 2011

Table 1 of "Preparing raw clinical data for publication: guidance for journal editors, authors, and peer reviewers" Trials 2010, 11:9

"Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)" from the National Institute of Standards and Technology

"Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule" from HHS.gov