The sensitivity of all identifiers described below is heightened when combined with information about:
- illegal behaviors
- physical/mental health information
- other information that poses a risk to subject reputation, insurability, employability, or legal status
If you are collecting these types of information, consider obtaining a Certificate of Confidentiality that would protect you and NAU from being forced to disclose information that could identify your research subjects.
Types of identifying information |
Description |
How your research might be affected: |
Personally Identifiable Information (PII) |
PII "refers to information that can be used to distinguish or trace an individual's identity,
- either alone [such as name, social security number, or date and place of birth],
- or when combined with other personal or identifying information that is linked or linkable to a specific individual" [such as medical, education, financial, or employment info].
PII is defined in OMB M-07-16 and GAO-08-536; quote is from Appendix of OMB M-10-23 |
Unfortunately, there's not one official list of all information that qualifies as PII, so you'll have to assess the risk of identification for every dataset you need to share.
See our list below of common examples of PII.
|
Protected Health Information (PHI)
[protected by HIPAA]
|
PHI includes all information that identifies an individual and describes his or her medical condition -- the HIPAA Privacy Rule specifies 18 elements that could identify an individual.
Patient/medical information is protected by HIPAA, the Health Insurance Portability and Accountability Act of 1996 -- the Security Rule and the Privacy Rule implement the security and privacy protections of HIPAA.
|
HIPAA directly regulates researchers who either:
- Work within a "Covered Entity" (health care provider, health plan provider, or health care clearinghouse)
HIPAA indirectly regulates researchers who wish to use data from covered entities.
The Privacy Rule specifies six circumstances under which researchers can use or disclose protected health information:
- Research participant gives written authorization for research use/disclosure
- Institutional Review Board (IRB) gives documented approval for research use/disclosure
- PHI in the dataset has been de-identified as defined by HIPAA
- PHI is presented in a "Limited Data Set" as defined by HIPAA
- Researcher is using PHI of deceased persons
- Researcher is engaged in activities preparatory to research
(these circumstances are defined in full on HHS.gov). |
Student Records
[protected by FERPA]
|
FERPA, the Family Educational Rights and Privacy Act of 1974, protects the privacy of a student's entire educational record.
|
No information can be disclosed without student or guardian consent [with the exception of "directory" information].
For more information, please see:
|
Other sensitive information |
- Employee information
- GLBA (Gramm-Leach-Billey Act) and customer information
- Donor or alumni information
- Financial information
|
If you're working with these types of data, we can put you in touch with the right people on campus for more information -- just contact us. |