The sensitivity of all identifiers described below is heightened when combined with information about:
If you are collecting these types of information, consider obtaining a Certificate of Confidentiality that would protect you and NAU from being forced to disclose information that could identify your research subjects.
| Types of identifying information | Description | How your research might be affected: |
| Personally Identifiable Information (PII) | PII "refers to information that can be used to distinguish or trace an individual's identity,
|
Unfortunately, there's not one official list of all information that qualifies as PII, so you'll have to assess the risk of identification for every dataset you need to share. See our list below of common examples of PII. |
|
Protected Health Information (PHI) [protected by HIPAA] |
PHI includes all information that identifies an individual and describes his or her medical condition -- the HIPAA Privacy Rule specifies 18 elements that could identify an individual. Patient/medical information is protected by HIPAA, the Health Insurance Portability and Accountability Act of 1996 -- the Security Rule and the Privacy Rule implement the security and privacy protections of HIPAA. |
HIPAA directly regulates researchers who either:
The Privacy Rule specifies six circumstances under which researchers can use or disclose protected health information:
|
|
Student Records [protected by FERPA] |
FERPA, the Family Educational Rights and Privacy Act of 1974, protects the privacy of a student's entire educational record. |
No information can be disclosed without student or guardian consent [with the exception of "directory" information]. For more information, please see: |
| Other sensitive information |
|
If you're working with these types of data, we can put you in touch with the right people on campus for more information -- just contact us. |
There's not one official list of all information that qualifies as PII, but here are some common examples:
| Category | Specific Examples |
| Unique identifying numbers | social security number (SSN); passport number; driver's license number; student identification number; taxpayer identification number; patient identification number; health plan beneficiary number; financial account or credit card number |
| Names | full name; maiden name; mother's maiden name; alias |
| Geographic information | street address or place of birth (even ZIP codes might lead to individual identification when combined with other information) |
| Contact information | email address; mobile, business, fax or personal phone numbers |
| Personal characteristics | photographic image (particularly facial image); x-rays; fingerprints; other biometric image or template data (e.g., retina scan; voice signature; facial geometry) |
| Electronic identifiers | IP address; URL address; MAC address |
| Property identifiers | vehicle registration number or title number; medical device identifier; serial number |
| Specific dates (other than year) related to an individual | birth date, death date; hospital admission or release dates. Year could become an identifying factor for persons over 89 years old |
| Indirect identifiers that could be combined with each other or information above | occupation or place of work; income; education; sex or ethnicity; rare disease or treatment; name of doctor |
Recommendations are based on:
Guidance and Procedure: Data Security in Research, UCLA Office of the Human Research Protection Program (OHRPP), last updated February 24, 2011
Table 1 of "Preparing raw clinical data for publication: guidance for journal editors, authors, and peer reviewers" Trials 2010, 11:9
"Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)" from the National Institute of Standards and Technology