I'm not a lawyer but "codice fiscale" is not PHI. The Italian Data Protection Authority puts codice fiscale under PII[0] and it's not mentioned in the PHI section[1,2,3,4].
First off, good work! It is always nice to help people deal on this (sicked and badthought) platforms.
Anyhow, you should check also if a "tessera sanitaria" is considered a PHI since it includes the "codice fiscale" (and if I recall correctly, it is used often in "fascicoli sanitari" to identify an individual).
I'm not aware of how things work in the US, but...
Surely if you are only handling Names and DOB you don't have to be HIPAA compliant?
I mean, if you have to be HIPAA compliant (your application is medical-adjacent and/or is handling also other bits of data besides Name and DOB), then by correlating the DOB (or name) with the rest of the data, health information could be leaked, and thus you want to protect Name+DOB with the HIPAA standards (even just the fact that a certain name uses a certain app/is inside a certain system might be sensitive).
But otherwise... almost every system under the sun is ingesting name+DOB.
(there's a case to be made that the system described in the post is a medical app... but again: different jurisdiction)
Yeah I think it only really matters if you are trying to be HIPAA compliant, like you said, because you’re also dealing with other health information about people.
I'm not a lawyer but "codice fiscale" is not PHI. The Italian Data Protection Authority puts codice fiscale under PII[0] and it's not mentioned in the PHI section[1,2,3,4].
[0] https://www.garanteprivacy.it/home/diritti/cosa-intendiamo-p...
[1] https://www.garanteprivacy.it/temi/dati-sanitari
[2] https://www.garanteprivacy.it/faq/fascicolo-sanitario
[3] https://www.garanteprivacy.it/faq/referti-online
[4] https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb...
[edit: formatting]