/
What Are PHI and PII Identifiers

Click on the magnifying glass to the right. Starting typing a topic you wish to learn about

What Are PHI and PII Identifiers

Owned by Melanie Mansuy (Unlicensed)
Last updated: Apr 16, 2024 by Alyssa Hill
2 min read

Protected  Health Information (PHI)

According to the HIPAA Administrative Simplification Regulation Text1 The Privacy Rule regulates the way certain health care groups, organizations, or businesses, called covered entities under the Rule, handle the individually identifiable health information known as protected health information (PHI). Researchers should be aware of the Privacy Rule because it establishes the conditions under which covered entities can use or disclose PHI for many purposes, including for research. Although not all researchers will have to comply with the Privacy Rule, the manner in which the Rule protects PHI could affect certain aspects of research.

Here you will find the 18 items designated as PHI Identifiers:

  • Names

  • All geographic subdivisions smaller than a state, including street address, city, county, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census.

  • Dates. All elements of dates (except year) including birth date, admission date, discharge date, date of death, unless individual is >89 yrs.

  • Telephone numbers

  • Fax numbers

  • E-mail addresses

  • Social security numbers

  • Medical record numbers

  • Health plan beneficiary numbers

  • Account numbers

  • Certificate/license numbers

  • Vehicle identifiers and serial numbers, including license plate numbers

  • Device identifiers and serial numbers, including license plate numbers

  • Web universal resource locators (URLs)

  • Internet protocol (IP) address numbers

  • Biometric identifiers, including fingerprints and voice prints

  • Full-face photographic images and any comparable images

  • Any other unique identifying number, characteristic, or code, uness otherwise permitted by the Privacy Rule for re-identification

Also included in sensitive information for REDCap projects are Personally identifiable Information (PII.)

Personally Identifiable Information (PII)

The term “PII,” as defined in OMB Memorandum M-07-1616 refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available - in any medium and from any source - that, when combined with other available information, could be used to identify an individual.

https://www.gsa.gov/reference/gsa-privacy-program/rules-and-policies-protecting-pii-privacy-act