• Protected health information (PHI) is individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a covered entity (CE) in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations. Information is only considered PHI when an individual can be identified from the information AND there is associated health-related information.
• A covered entity (CE) is an organization that has to comply with HIPAA (Health Insurance Portability and Accountability Act). Examples of covered entities include health care providers and health plans that engage in standard health care electronic transactions. The University of Miami is a Hybrid Covered Entity because, in addition to providing health care at its medical facilities (CE component), it also has other organizational activities such as education and research (non-CE component).

What is Personally Identifiable Information (PII)?

Privacy laws across the world govern the collection, use and disclosure of Personally Identifiable Information, or PII for short. In general terms, PII is any information that could be used to identify a specific person. University policies, contractual obligations, and federal and state laws and regulations require appropriate protection of PII that is not publicly available.

PII includes:
“Any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

Examples of PII include, but are not limited to:

• Name: full name, maiden name, mother’s maiden name, or alias
• Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number
• Personal address information: street address, or email address
• Personal telephone numbers
• Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting
• Biometric data: retina scans, voice signatures, or facial geometry
• Information identifying personally owned property: VIN number or title number
• Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person

The following examples, on their own, do not constitute PII as more than one person could share these traits. However, when linked or linkable to one of the above examples, the following could be used to identify a specific person:

• Date of birth
• Place of birth
• Business telephone number
• Business mailing or email address
• Race
• Religion
• Geographical indicators
• Employment information
• Medical information
• Education information
• Financial information

General Data Protection Regulation (GDPR) Definition of Personal Data

GDPR is a law that protects the privacy rights of residents of the European Union. This law defines “personal data” as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

Under GDPR the following categories are considered sensitive i.e., subject to more stringent protection requirements:

• personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
• trade-union membership
• genetic data, biometric data processed solely to identify a human being
• health-related data
• data concerning a person’s sex life or sexual orientation.

Florida Information Protection Act

Personal information means either of the following:

• An individual's first name or first initial and last name in combination with:
• A social security number
• A driver's license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity
• A financial account number or credit card or debit card number, in combination with any required security code, access code or passport that is necessary to access the individual's financial account
• Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
• An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual

1. Names
2. All geographical subdivisions smaller than a State, usually except for the initial three digits of a zip code
3. All elements of dates except year
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code

A “limited data set” is information from which certain identifiers have been removed. Specifically, all the following identifiers must be removed for health information to be considered a “limited data set”:

1. Names
2. street addresses (other than town, city, state and zip code)
3. telephone numbers
4. fax numbers
5. email addresses
6. Social Security numbers
7. medical records numbers
8. health plan beneficiary numbers
9. account numbers
10. certificate license numbers
11. vehicle identifiers and serial numbers, including license plates
12. device identifiers and serial numbers
13. URLs
14. IP address numbers
15. biometric identifiers
16. full face photos (or comparable images)

• dates (i.e., admission, discharge, service, DOB, DOD)
• city, state, zip code (five digits or more)

For research requests, as per record keeping requirements, any disclosures made pursuant to an IRB waiver requires accounting for disclosure. You must prepare and submit to the UHealth Privacy Office a record of disclosure for each disclosure of patient information under a waiver of authorization by using the HIPAA Accounting for Disclosures form (HIPAA Attachment 45) located on the HSRO HIPAA page. 

• The electronic file should be emailed to privacy@med.miami.edu with “Study # Spreadsheet File” as the subject.
  • For more than 50 individuals you can complete one accounting for disclosure form and a spreadsheet with subject’s first and last name, subject’s DOB, subject’s MRN, study number, and name of study PI.

“Assistance with facilitating clinical data collection provided by the Data Broker group of the University of Miami’s Office of the Vice Provost for Research + Scholarship.”

Guidance to Safe Harbor Method

Privacy By Design Requirements