The Difference Between PII and PHI

Ryan Stephens
difference-between-pii-and-phi

The term PII (Personally Identifiable Information) and PHI (Protected Health Information) are often used interchangeably in healthcare, but are also often a source of confusion for many organizations that are seeking to comply with HIPAA. But what is the difference between PII and PHI? This article will explore the differences between PII and PHI and why is it important to know the difference.

The federal law HIPAA mandates that organizations identify PII and PHI and handle them with the utmost confidentiality. Releasing these types of information without authorization could lead to severe repercussions for the organization responsible for safeguarding the information, as well as the individual whose information is compromised. Given the importance of PII and PHI, the HIPAA law dictates more safe and efficient usage of this information. To keep this information safe, the first step is to understand the difference between PII and PHI, and how important it can be.

Personally Identifiable Information (PII)

PII which is the acronym for personally identifiable information is any data that can be used to identify, contact, or locate an individual, either alone or combined with other easily accessible sources. It includes information, such as financial, medical, educational, or employment records – all of which can be linked to an individual. Types of information that can be used to identify an individual include name, fingerprints, email address, social security number, contact number, or other unique biometric data. 

Although legally selling and collecting PII is a profitable business, it can also be used by criminals or malicious individuals who want to misuse this information or commit identity theft. In determining whether or not PII is sensitive, and therefore is subject to HIPAA laws, it is important to consider the context in which the information is given. For example, a list of names of subscribers to a newsletter is not PII, but a list of people receiving medical services is. To get a better understanding of PII, here are more examples:

  • Personal identification numbers, such as credit card numbers, passport numbers, driver’s license number, patient identification number, social security number, etc.
  • MAC or IP addresses, including other static identification numbers that can be used to link a particular individual.
  • Address information such as street number, email address, or telephone number for personal or business use.
  • Biometric identifiers, such as fingerprints, x-rays, iris patterns, or geometry of the face.
  • Personal information about the individual, such as date of birth, place of birth, religion, activities, educational, financial, medical data, or geographical indicators.

Under certain circumstances, one or two pieces of information can be used together with other easily accessible information to compromise someone’s identity, even if the individual information itself is harmless.

Protected Health Information (PHI)

By legal definition, the difference between PII and PHI is that PHI is a subset of PII in which health-related information or medical records can be used to identify an individual. Under the HIPAA law, covered entities and business associates are required to adopt certain security regulations to protect PHI. In simpler terms, PHI is any individually identifiable healthcare information, created or received by health providers, health plan operators, or healthcare clearinghouses. PHI might contain the past, present, or future health condition, either in physical or mental terms. Generally, PHI can be used to identify a particular individual in regard to data that is either stored or transmitted in any given form, including oral, written, or electronic. 

However, PHI does not refer to educational records nor employment records which are maintained by a covered entity as that entity’s role as an individual’s employer. Very similar to PII, PHI includes the following:

  • Name
  • All dates that are directly linked to an individual, such as date of birth, date, administration, and discharge
  • Mobile, fax, and telephone numbers
  • Geographic subdivisions such as zip codes, street numbers, county, and email addresses.
  • Health plan beneficiary and medical record numbers.
  • Account or certificate numbers.
  • Vehicle identification and Social Security numbers.
  • Biometric identifiers, such as fingerprints or voice.
  • Full face photographs or other recognizable features.
  • Unique code-based or characteristics numbers.

Protect sensitive data by ensuring compliance

Even if under certain circumstances, PII is not considered sensitive, it does not mean it can be publicly disclosed. Whether it’s PII or PHI, protecting your customer’s information can not only benefit your business, but it will also help you avoid costly fines. In the healthcare industry, leaving PHI unattended could mean a HIPAA violation and result in severe financial consequences. This is why HIPAA compliance is crucial for your business.

By implementing appropriate physical, technical, and administrative safeguards, you will be able to protect sensitive information from external as well as internal threats. To make sure your practice is HIPAA compliant, you make use of our robust HIPAA compliance software – HIPAA Ready

This robust software application combines all compliance management modules into a single centralized platform and will let you streamline your regulatory compliance efforts. Are you HIPAA Ready yet? Leave a comment to know more.

cloudapper footer