PII/PHI Data Handling and Storage Tips
Personally Identifiable Information (PII)
Midwestern State University is responsible for the confidentiality and integrity of their data under existing federal and state legislation. Included in this document are some “best practices” for those handling Personal Identifiable Information (PII). PII as defined by Texas Business and Commerce Code Title 11, Subtitle B, Chapter 521 but is not limited to:
- Social Security Numbers (SSNs)
- Driver’s License or State Identification Number
- Protected Health Information – including immunization information, FMLA information
- Financial Account Number – including credit/debit card
PII does not include publicly available directories containing information an individual has voluntarily consented to have publically disseminated or listed, including name, address, and telephone number and does not include information made lawfully available to the general public from federal, state, or local government records.
The following recommendations have been compiled to assist you in keeping University PII secure. Please follow these simple rules.
- If you don’t need it, don’t store it o Many offices retain forms of PII “just because”. Review your processes and data retention policies. If you don’t need it, don’t keep it!
- Secure your computer o When leaving your office for any length of time, no matter how short, always lock your computer by pressing the Ctrl, Alt, and Delete keys simultaneously and select “Lock this computer” from the menu and press Enter
- Use a password protected screen saver
- Do not remove or alter your computer’s antivirus application settings
- Delete files from ALL locations (hard drive and network drive) when no longer valid o Do not hold on to old queried or reports that contain personal information o Empty your computer’s recycle bin and clear temporary file folders regularly
- Never save or store files containing PII to the Z: drive
- Never share your user name and password with colleagues or students
- Avoid emailing sensitive files
- Avoid saving files that contain PII on CDs, DVDs, portable devices, etc.
REMEMBER: It is every user’s responsibility to protect data and to treat other people’s information as if it was your own. Disclosure of PII can be used to steal identities, disrupt University operations and damage MSU’s reputation.
For purposes of data governance, personally identifiable information (PII) is defined as follows:
Any instance of an individual’s first name (or first initial) plus the last name and any one or more of the
following:
- Social Security number
- Driver license or state-issued ID number
- Military ID number
- Passport number
- Credit card (or debit card) number, CVV2, and
expiration date - Financial account numbers (with or without
access codes or passwords) - Customer account numbers
- Unlisted telephone numbers
- Date or place of birth
- Mother’s maiden name
- PINs or passwords
- Password challenge question responses
- Account balances or histories
- Wage & salary information
- Tax filing status
- Biometric data that can be used to identify an
- individual, including finger or voice prints
- Digital or physical copies of handwritten
signature - E-mail addresses
- Medical record numbers
- Vehicle identifiers and serial numbers,
including license plate numbers - Medical histories
- National or ethnic origin
- Religious affiliation(s)
- Physical characteristics (height, weight, hair
color, eye color, etc.) - Insurance policy numbers
- Credit or payment history data
- Full face photographic images and any
comparable images - Certificate/license numbers
- Internet Protocol (IP) address numbers
In general, personally identifiable information does not include information that is lawfully obtained from publicly available records, or from federal, state or local government records lawfully made
available to the general public.
Sourced from:
- Gramm-Leach-Bliley Act (GLBA or Financial Services Modernization Act of 1999)
- The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
- Payment Card Industry – Data Security Standards v2.0 (PCI-DSS)
- The Health Insurance Portability & Accountability Act (HIPAA)
- The Personal Information Protection & Electronic Documents Act (Canada)
- Massachusetts 201 CMR 17
- California SB1386
- National Institute of Standards & Technology (NIST) Computer Security Standards
- Federal Law on the Protection of Personal Data Help by Private Parties (Mexico)
- RAC Information Security Policy
Protected Health Information (PHI)
PHI, as defined by HIPAA (US & Puerto Rico only)
List of 18 identifiers:
- Names
- All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Phone numbers
- Fax numbers
- Electronic mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints;
- Full face photographic images and any comparable images; and
- Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)