The following are considered identifiers in the US HIPAA document – this can serve as a guideline:
- Postal address information, other than town or city, state, and ZIP Code (or Postal Code in Canada).
- Telephone numbers.
- Fax numbers.
- E-mail addresses.
- Social security numbers (or Social Insurance Numbers in Canada).
- Medical record numbers.
- Health plan beneficiary numbers.
- Account numbers.
- Certificate/license numbers.
- Vehicle identifiers and serial numbers, including license plate numbers.
- Device identifiers and serial numbers.
- Web universal resource locators (URLs).
- Internet protocol (IP) address numbers.
- Biometric identifiers, including fingerprints and voiceprints.
- Full-face photographic images and any comparable images.
Inadvertent Data Linkage
One of the roles of the REB is to assist the researcher in ensuring that data is sufficiently de-identified to ensure that inadvertent linkage cannot occur. The following can also be identifiers in certain situations:
- Date of Birth
- First three digits of the postal code.
The determination of when and if data are sufficiently de-identified must be decided on a case-by-case basis, since the decision is so context dependent. Note that these lists are not exhaustive; other information may be considered identifiable in some circumstances. If you have any further questions about whether your data is identifiable, contact the Research Ethics office.
When de-identifying data, care must be taken to remove both direct identifiers and indirect identifiers. Considerations include:
- The size participant pool from which the data were collected. Will the de-identified data still be identifiable by someone in the same community as the participant?
- The cultural divide between researcher and participants. Are there indirect identifiers which would not be apparent to the researcher, but would be to the individual who shared the same cultural background as the participants?