Information submitted through webforms within Web Open is stored unencrypted. Due to this, webforms are secure for collecting Personally Identifiable Information (PII), but not Sensitive Personally Identifiable Information (SPII), Protected Health Information Data (PHI Data), HIPAA data (Health Insurance Portability and Accountability Act), or Payment Card Industry Data (PCI Data).
Do not request the following on any forms:
- Social Security numbers
- Driver's license numbers
- Medical information
- Passport numbers
- Passwords
- Financial information of any kind
- Bank account information
- Routing numbers
- Credit card numbers
- Any SPII
The following information can be requested:
- A name, including the full name of the individual, their maiden name, and any alias they may use
- Email addresses and physical addresses such as street addresses, zip codes, and county
- Telephone and fax numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Information about an individual that is linked to their place of birth, date of birth, religion, activities, geographical indicators, or educational data
- Asset information, such as MAC address or IP, as well as other static identifiers that could consistently link a particular person
- Device identifiers and serial number
Article Navigation
- Definitions
- Identification
- Personally Identifiable Information (PII)
- Sensitive PII (SPII)
- Protected Health Information (PHI)
- Web Open Webforms Disclaimer
Not finding what you are looking for? View some additional resources.
Definitions
- Personally Identifiable Information (PII) has numerous official definitions, depending on what agency or state law/policy you read, but in general, it is defined as any information that can be used to identify an individual directly or indirectly, such as a name, email address, Social Security Number or IP address.
-
Sensitive PII (SPII) is generally defined as any PII that if lost, stolen, or disclosed without authorization could result in significant harm to an individual.
-
Protected Health Information (PHI) is a specific type of Sensitive PII that is collected by a healthcare provider or other covered entity for the provision of healthcare services. This information is protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires HIPAA-covered entities and their business associates to implement specific technical and operational safeguards to protect PHI.
Identification
The PII, Sensitive PII, and PHI identification charts below were compiled from information gathered from the Department of Homeland Security’s Handbook for Safeguarding Sensitive Personally Identifiable Information and the U.S. Department of Health and Human Services.
Personally Identifiable Information (PII)
- Home Address
- IP Address
- Name
- Phone Number
- Any other information that can uniquely identify someone
Sensitive PII (SPII)
Any PII Combined With the Following
- Account passwords
- Citizenship or immigration status
- Criminal history
- Date of Birth (DOB)
- Last 4 digits of the social security number (SSN)
- Mother's maiden name
- Ethnic or religious affiliation
- Medical information
- Personal financial information
- Sexual orientation
- Any other information which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual
Stand Alone
- Alien registration number
- Biometric identifiers
- Credit card number
- Driver's license or state ID number
- Financial account number
- Passport number
- Social Security number (SSN)
Protected Health Information (PHI)
Health Information (physical, electronic, or spoken) + Identifier + collected by a HIPAA-Covered Entity or School or University or Employer or Business Associate of a HIPAA-Covered Entity + in relation to the provision of healthcare or payment for healthcare services.
Identifiers
- Account numbers
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Certificate/license numbers
- Dates, except the year
- Device identifiers and serial numbers
- Email addresses
- Fax numbers
- Geographic data
- Full face photos and comparable images
- Internet protocol addresses
- Health plan beneficiary numbers
- Medical record numbers
- Names
- Social Security numbers
- Telephone numbers
- Vehicle identifiers and serial numbers including license plates
- Web URLs
- Any unique identifying number or code
Health Information
- Allergies
- Medications
- Family medical history
- Health histories
- Health records
- Lab test results
- Medical bills
- Past, present, and future health conditions or physical/mental health
- Prognosis
- Treatment/Rehabilitation plans
- X-rays
- Any other information about a person's health
HIPAA-Covered Entities
- Most health care providers - Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing homes, Pharmacies
- Health insurance companies
- HMOs (Health Maintenance Organizations)
- Employer-sponsored health plans
- Government programs that pay for health care - such as Medicare, Medicaid, and military and veterans’ health programs
- Clearinghouses - organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations
Business Associates of HIPAA-Covered Entities
- Data analysis, storage, and transmission services
- Legal and accounting services
Billing and benefit management services - Actuarial and claims processing services
- Any other businesses that perform activities that require them to have access to patient health information in order to provide services for or on behalf of health industry entities
Web Open Webforms Disclaimer
Disclaimer: The information to be submitted on this form will be sent via email and stored in the database unencrypted. To protect sensitive information and comply with applicable data security requirements, do not request the following information on this form: Social Security numbers, driver's license numbers, medical information, passport numbers, passwords, or financial information of any kind, including, without limitation, bank account information, routing numbers, credit card number. If you intend to collect sensitive information, please reach out to your account manager to discuss CivicPlus's secure form offerings.
IN ORDER TO MAINTAIN COMPLIANCE WITH DATA SECURITY REQUIREMENTS, CIVICPLUS MAY, AT ANY TIME AND IN ITS SOLE DISCRETION, UNPUBLISH ANY FORM THAT SOLICITS SENSITIVE INFORMATION WITH OR WITHOUT NOTICE TO YOU.
Comments
Let us know what was helpful or not helpful about the article.0 comments
Please sign in to leave a comment.