Anonymized Data Previously identifiable data (indirectly or individually identifiable) that have been de-identified and for which a code or other link no longer exists. An investigator has NO means for linking anonymized data back to a specific subjects.
Anonymous Data Data that was collected without identifiers and that were never linked to an individual. Coded data are not anonymous. See also de-identified data.
Clinical Trial A research study in which one or more human subjects are prospectively assigned to one or more interventions (which may include placebo or other control) to evaluate the effects of the interventions on biomedical or behavioral health-related outcomes. 
Coded Data are separated from personal identifiers through use of a code. As long as a link exists, data are considered indirectly identifiable and not anonymous, anonymized or de-identified.
Common Rule

The Federal Policy for the Protection of Human Subjects or the “Common Rule” was published in 1991 and codified in separate regulations by 15 Federal departments and agencies. The Health and Human Services (HHS) regulations, 45 CFR Part 46, include four subparts:

  • subpart A, also known as the Federal Policy or the “Common Rule”;
  • subpart B, additional protections for pregnant women, human fetuses, and neonates;
  • subpart C, additional protections for prisoners; and
  • subpart D, additional protections for children.

See the HHS website for more information.


Confidentiality refers to the researcher’s plan to handle, manage and disseminate the participant’s identifiable private information. Researchers should only collect identifiable information when needed (see minimum necessary).

Investigators should ensure that information is not made available or disclosed to unauthorized individuals, entities or processes. Protection of confidentiality is an ethical standard of the health professions.


The voluntary agreement of an individual or their legally authorized representative (informed and competent) for participation in a study.

See IRB consent guidance for more information on the consent process and documentation of informed consent.

Covered Entity Refers to three types of entities that must comply with the HIPAA Privacy Rule: health care providers; health plans; and health care clearinghouses. For purposes of the HIPAA Privacy Rule, health care providers include hospitals, physicians, and other caregivers, as well as researchers who provide health care and receive, access or generate individually identifiable health care information.
Top of page
Data Use Agreement An agreement between the investigator (recipient) and the covered entity that the investigator will protect the protected health information in a Limited Data Set and use it for the agreed upon purposes.
De-identified Data

A record in which identifying information is removed.

Under the HIPAA Privacy Rule, data are de-identified if either:

  1. an experienced expert determines that the risk that certain information could be used to identify an individual is "very small" and documents and justifies the determination, or
  2. the data do not include any of the 18 identifiers (of the individual or his/her relatives, household members, or employers) which could be used alone or in combination with other information to identify the subject. Note that even if these identifiers are removed, the Privacy Rule states that information will be considered identifiable if the covered entity knows that the identity of the person may still be determined.
Directly Identifiable Any information that includes personal identifiers. To determine what data may be considered identifiable, please see items that must be removed under the HIPAA Privacy Rule's definition of de-identified.
Department or agency head The head of any Federal department or agency, for example, the Secretary of HHS, and any other officer or employee of any Federal department or agency to whom the authority provided by these regulations to the department or agency head has been delegated. 
Disclosure The release, transfer, provision of access to, or divulging in any other manner of protected health information outside the entity holding the information. Requires a specific authorization under HIPAA except if disclosure is related to the provision of health care, payment or operations of the entity responsible for the PHI or under a limited set of other circumstances, as for public health purposes.
Federal department or agency Refers to a federal department or agency (the department or agency itself rather than its bureaus, offices or divisions) that takes appropriate administrative action to make this policy applicable to the research involving human subjects it conducts, supports, or otherwise regulates (e.g., the U.S. Department of Health and Human Services, the U.S. Department of Defense, or the Central Intelligence Agency. 
Health Information Any information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
HIPAA The Health Insurance Portability and Accountability Act of 1996. The HIPAA section of this site has more information.
Human Subject

human subject means a living individual about whom an investigator (whether professional or student) conducting research 

(1) Obtains information or biospecimens through intervention or interaction with the individual, and uses, studies, or analyzes the information or biospecimens; or
(2) Obtains, uses, studies, analyzes, or generates identifiable private information or identifiable biospecimens. 


Identifiable biospecimen A biospecimen for which th eidentity of the subject is or may be established by the investigator or associated with the biospecimen. 
Identifiable private information Private information for which the identity of the subject is or may be established by the investigator or associated with the information.
Indirectly Identifiable Data that do not include personal identifiers, but link the identifying information to the data through use of a code. These data are still considered identifiable by the Common Rule. To determine what data may be considered identifiable, please see de-identified.
Individually Identifiable

Any information that includes personal identifiers (18 HIPAA Identifiers or any subset of health information that identifies the individual or can reasonably be used to identify the individual).

Institution Any public or private entity, or department or agency (including federal, state, and other agencies.)
Institutional Review Board (IRB)

An IRB is chartered under the Common Rule to protect human research subjects. The IRB at UCSF also serves the HIPAA Privacy Board.

Limited Data Set

A set of data in which most of the protected health information has been removed. The following identifiers of the individual or of the individual’s relatives, employers or household members must be removed:

1. Names;
2. Addresses, other than town or city, state, and zip code;
3. Telephone numbers;
4. Fax numbers;
5. Electronic mail addresses;
6. Social security numbers;
7. Medical record numbers;
8. Health plan beneficiary numbers;
9. Account numbers;
10. Certificate / license numbers;
11. Vehicle identifiers and serial numbers (including license plate numbers);
12. Device identifiers and serial numbers;
13. Web universal Resource Locators (URLs);
14. Internet Protocol (IP) address numbers;
15. Biometric identifiers, including finger and voice prints; and
16. Full face photographic images and any comparable images.


See coded.

Minimal Risk

The probability and magnitude of harm or discomfort anticipated in the research are not greater in and of themselves than those ordinarily encountered in daily life or during the performance of routine physical or psychological examinations or tests.

Minimum Necessary

A HIPAA Privacy Rule standard requiring that when protected health information is used or disclosed, only the information that is needed for the immediate use or disclosure should be made available by the health care provider or other covered entity.

This standard does not apply to uses and disclosures for treatment purposes (so as not to interfere with treatment) or to uses and disclosures that an individual has authorized, among other limited exceptions. Justification regarding what constitutes the minimum necessary will be required in some situations (e.g., disclosures with a waiver of authorization and non-routine disclosures).

Need to Know A security principle stating that a user should have access only to the data needed to perform a particular function.
Top of page

Privacy concerns people, whereas confidentiality concerns data. Privacy refers to a person’s wish to control the access of others to themselves.

Privacy Rule

The HIPAA regulations that protect the privacy of health information.

Private Information Information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information that has been provided for specific purposes by an individual and that the individual can reasonably expect will not be made public (e.g., a medical record).
Protected Health Information (PHI)

Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.

See the IRB's HIPAA guidance for more information about what is PHI and what is not PHI.

Here is the list of 18 identifiers under HIPAA:

  1. Names;
  2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; or (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  4. Phone numbers;
  5. Fax numbers;
  6. Electronic mail addresses;
  7. Social Security numbers;
  8. Medical record numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. Web Universal Resource Locators (URLs);
  15. Internet Protocol (IP) address numbers;
  16. Biometric identifiers, including finger and voice prints;
  17. Full face photographic images and any comparable images; and
  18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
Public health authority An agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, and Indian tribe, or a foreign government, or a person or entity acting under a grant of authority from a contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate. 
Research A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.
Written (or "in writing") For purposes of the Common Rule, refers to writing on a tangible medium (e.g. paper) or in an electronic format. 

Last updated: September 27, 2023