The sensitivity of all identifiers described below is heightened when combined with information about:
physical/mental health information
other information that poses a risk to subject reputation, insurability, employability, or legal status
If you are collecting these types of information, consider obtaining a Certificate of Confidentiality that would protect you and NAU from being forced to disclose information that could identify your research subjects.
Types of identifying information
How your research might be affected:
Personally Identifiable Information (PII)
PII "refers to information that can be used to distinguish or trace an individual's identity,
either alone [such as name, social security number, or date and place of birth],
or when combined with other personal or identifying information that is linked or linkable to a specific individual" [such as medical, education, financial, or employment info].
PII is defined in OMB M-07-16 and GAO-08-536; quote is from Appendix of OMB M-10-23
Unfortunately, there's not one official list of all information that qualifies as PII, so you'll have to assess the risk of identification for every dataset you need to share.
PHI includes all information that identifies an individual and describes his or her medical condition -- the HIPAA Privacy Rule specifies 18 elements that could identify an individual.
Patient/medical information is protected by HIPAA, the Health Insurance Portability and Accountability Act of 1996 -- the Security Rule and the Privacy Rule implement the security and privacy protections of HIPAA.
Work within a "Covered Entity" (health care provider, health plan provider, or health care clearinghouse)
HIPAA indirectly regulates researchers who wish to use data from covered entities. The Privacy Rule specifies six circumstances under which researchers can use or disclose protected health information:
Research participant gives written authorization for research use/disclosure
Institutional Review Board (IRB) gives documented approval for research use/disclosure
GLBA (Gramm-Leach-Billey Act) and customer information
Donor or alumni information
If you're working with these types of data, we can put you in touch with the right people on campus for more information -- just contact us.
Common examples of PII (Personally Identifiable Information)
There's not one official list of all information that qualifies as PII, but here are some common examples:
Unique identifying numbers
social security number (SSN); passport number; driver's license number; student identification number; taxpayer identification number; patient identification number; health plan beneficiary number; financial account or credit card number
full name; maiden name; mother's maiden name; alias
street address or place of birth (even ZIP codes might lead to individual identification when combined with other information)
email address; mobile, business, fax or personal phone numbers
photographic image (particularly facial image); x-rays; fingerprints; other biometric image or template data (e.g., retina scan; voice signature; facial geometry)
IP address; URL address; MAC address
vehicle registration number or title number; medical device identifier; serial number
Specific dates (other than year) related to an individual
birth date, death date; hospital admission or release dates. Year could become an identifying factor for persons over 89 years old
Indirect identifiers that could be combined with each other or information above
occupation or place of work; income; education; sex or ethnicity; rare disease or treatment; name of doctor
Recommendations are based on:
Guidance and Procedure: Data Security in Research, UCLA Office of the Human Research Protection Program (OHRPP), last updated February 24, 2011