PII vs PHI: What are the Key Differences?
It is crucial for your business to understand the differences between Personal Identifiable Information (PII) and Protected Health Information (PHI). Understanding the difference between PII vs PHI will help you successfully navigate data protection regulations and achieve compliance.
This article is here to help you understand the different categories of data. We’ll help you understand what PII data and PHI data fall into and fulfill your responsibilities as a data processor.
We will explain both of these terms in detail, their specific differences and similarities, and how to ensure you keep PII and PHI safe.
Let’s get started.
- Personal Identifiable Information (PII) is any information that links to a consumer’s identity. Protected Health Information (PHI) is health information specified by the 18 identifiers in the HIPAA privacy rule.
- PII and PHI require explicit consent before collection, and businesses must provide consumers with specific rights over their information. However, PII has a much broader scope of personal information and is governed by different regulations, such as the GDPR and CCPA.
- To ensure your business protects PII and PHI effectively, you can begin a compliance training program, utilize data encryption, create a data breach response plan, perform regular audits, and contact compliance professionals like Captain Compliance.
What is a PII?
Nick Henderson-Mayo, director of learning at Vinciworks, says:
"Personally Identifiable Information (PII) is the standard American term for personal data, meaning information which can be used to identify or trace a person’s identity."
Major data protection regulations, such as the GDPR, legally enforce standards businesses must uphold when collecting and processing PII.
PII can be divided into two sections that separate information based on its perceived importance. The two sections of PII are sensitive and non-sensitive data. Sensitive PII is defined as information that could harm a consumer if exposed.
Some examples of sensitive PII are:
- Social Security Number
- Financial Informaiton
- Health Information
- Criminal Records
On the other hand, non-sensitive PII is a broader category of information that includes any data that links to a particular consumer. Your business still needs to protect non-sensitive PII, but it is not considered harmful if exposed.
Some examples of non-sensitive PII are:
- Phone number
- Zip code
What is a PHI?
Nick Henderson-Mayo says:
"Protected Health Information (PHI) is the American term for any health information outlined in HIPAA, which is the Federal Health Insurance Portability and Accountability Act 1996 in the United States. HIPAA defines 18 elements of personal health information, any one of which is considered PHI and protected by federal law.
This includes information relating to a person’s past, present and future health, the provision of healthcare to them, or information regarding payment for healthcare up to 50 years following their date of death."
The 18 identifiers used to classify PHI are listed in the HIPAA Privacy Rule as follows:
- Geographic Identifiers are more specific than states (Address, ZIP code, County/City)
- Dates of any healthcare records (Birthday, Admission/Discharge dates, Death dates)
- Phone number
- Fax number
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account numbers
- Certificate or license numbers
- Vehicle identification number or license plate number
- Device identification number
- Website URLs
- IP address
- Biometric identification
- Photos of the entire face
- Any other identifying number, code, photo, or piece of information
Differences Between PII vs PHI
PII and PHI cover a wide range of information. However, your business must understand the difference between both kinds of personal information. These fundamental differences are essential in HIPAA compliance and adequately handling and protecting health information.
PII (Personally Identifiable Information) refers to the information that can directly or indirectly identify a person. It includes data like name, social security number, email address, date of birth, and residential address.
PHI (Protected Health Information), on the other hand, is detailed personal health-related information protected by HIPAA regulations in the US. PHI is a subsection of PII.
Given that PII has a broader definition and contains many different personal and health information types, its scope is more expansive than PHI. PHI is limited to only the 18 identifiers listed in the HIPAA privacy rule.
The difference in scope means your business must regularly distinguish if the PII you collect falls under the narrower scope of PHI. You could face significant fines if your business fails to make the distinction and does not follow HIPAA data privacy requirements.
One of the significant differences between PII and PHI is the data protection law that applies to each kind of information. PII is protected by more prominent, all-encompassing regulations such as the GDPR and CCPA.
However, PHI is specifically defined by HIPAA and, as such, is regulated by HIPAA’s requirements and standards.
Although both PII and PHI refer to personal data that needs safeguarding, the level of sensitivity differs. Due to its detailed health-related information, the unauthorized disclosure or misuse of PHI can have more significant implications.
This means businesses must ensure even stronger protections for this type of data compared with other forms of PII.
However, although not as highly classified as PHI (Protected Health Information), any breach involving Personally Identifiable Information also has strict regulatory compliance penalties since a person's identity could be stolen, leading to potentially severe consequences on an individual’s physical safety or financial well-being.
The final major difference is the distinct security requirements for businesses that handle PII versus PHI. HIPAA requires that your business report any data breach to the United States Department of Health and Human Services (HHS) and local authorities within 60 days.
HIPAA may also require your business to inform local media, depending on the scale of the data breach. You must also notify all consumers whose information was exposed during the breach.
HIPAA has strict data protection standards for your business to follow to prevent breaches and adequately protect consumers’ health information. This might involve advanced encryption methods, additional access controls, and enhanced security protocols when it comes to sharing and transmitting such sensitive healthcare information.
On the other hand, breaches involving PII data have varying security requirements depending on whether the PII is sensitive or non-sensitive.
Data protection laws like the GDPR have specific requirements for reporting data breaches, but depending on the information, response requirements may vary by country.
- Are you handling PII or PHI? If so, you need to safegaurd that data and follow several data privacy laws. Find out how you can do that over a free consultation today.
Similarities Between PII vs PHI
Personally identifiable information and protected health information are two distinct categories of data. However, they share similarities in the data protection standards that regulations and laws require for businesses’ compliance. Here are the primary similarities between PII and PHI:
When your business collects either PII or PHI from a consumer, you are required to obtain explicit consent first. Consent is a major part of compliance with regulations like the GDPR.
There are also specific rules regarding the consent form you provide to consumers. For example, when requesting consent, your business must be transparent about the information you collect and why.
Data Subject Rights
The next similarity is the rights that consumers have over their information. Several data protection laws include data subject rights that your business must offer consumers to achieve corporate compliance.
These rights apply to PII and PHI data, both in different regulations. Some examples of rights that consumers have over their personal information and health information are:
- Right to Access
- Right to Correct
- Right to Delete
Both PII and PHI contain sensitive data that businesses must protect according to relevant compliance standards. Part of these standards include regular risk assessments.
Risk assessments measure a business’s system to identify areas with potential weaknesses and susceptible to a data breach.
Upon identifying these weak points, businesses can take preventative measures and strengthen their system to effectively protect consumers’ PII or PHI.
At Captain Compliance, our complete list of compliance services includes risk assessments to ensure your business’s security meets all regulations.
Proper Disposal Practices
The final similarity between PII and PHI is that when a business uses a consumer’s personal information, it must follow proper data disposal methods to delete it from its system.
Relevant laws and regulations dictate specific methods for data disposal necessary to prevent unauthorized access or use of sensitive information. This ensures that once the purposeful utilization of PII or PHI is over, these details cannot be traced back.
These practices include multiple strategies like shredding paper documents containing personal/health records once they are no longer in active use, destroying electronic media that stored such data permanently so it's beyond repair/recovery, and more.
Negligence towards proper disposal could potentially lead to breaches causing legal trouble and severely damaging a company’s reputation.
How Do You Ensure PII & PHI Remain Safe?
When your business processes personally identifiable information or health information, it is vital to have adequate security measures in place. You must follow regulations to protect consumers’ data but could also face legal backlash if it is exposed to a breach.
Our comprehensive list of steps your business can follow to ensure your consumers’ PII and PHI remain safe is below:
A great way to protect your consumers’ information is by creating a positive work environment that prioritizes the safety and security of data. Your business should create a compliance training plan that includes employees from every department.
Compliance training will educate employees about regulations and laws that affect their specific work. When they meet the particular requirements of these laws, it dramatically reduces the risk of non-compliance and creates a business-wide standard of data security.
Data encryption effectively increases your business’s data security and reduces the risk of exposing your consumers’ PII and PHI. Encryption creates an additional layer of protection that will ensure your compliance, improve your reputation, and gain consumers’ trust.
Data Breach Response Plan
While your business must take as many preventative measures as possible, you also need an effective response plan in case of a data breach.
Many data protection laws have precise requirements about who you report to and when you must report a breach.
A data breach response plan will improve your business’s ability to react in a breach. When you have a set protocol that meets regulation standards, you waste no time figuring out what to do, and a swift response is always more effective.
Regular Audits & Risk Assessments
As we mentioned, your business must take as many preventative measures as possible to prevent data breaches before they happen. A crucial step for any business is to conduct regular audits and risk assessments of your system.
Regular audits and assessments can help you identify the weak areas in your system that present the greatest risk and possibility of a breach. After identifying them, you can work to strengthen those weak points, significantly decreasing the likelihood of a data breach.
Get In Touch With Captain Compliance
The final step your business can take to protect PII and PHI is to contact us. If you outsource your business’s compliance needs to Captain Compliance, compliance fine worries will be a thing of the past.
Our team of experts offers years of experience navigating compliance frameworks and providing effective solutions for businesses across all industries. We offer thorough and GDPR compliance services to ensure your compliance and the safety of your data.
What is the difference between PII and PHI?
Personal Identifiable Information (PII) is any information related to an individual’s identity. On the other hand, Protected Health Information (PHI) is a subset of PII specified by the 18 identifiers listed in the HIPAA privacy rule.
What are the two types of PII?
The two types of PII are sensitive and non-sensitive. Sensitive PII includes personal information that would be considered harmful to an individual if exposed. Non-sensitive PII would not be as dangerous and put a consumer at no risk.
What information violates HIPAA?
A HIPAA violation is issued when a business fails to allow access, protect, delete, or change the protected health information of a consumer.
Is my business subject to HIPAA?
HIPAA applies only to covered entities, which include health care providers, health plans, and health care clearinghouses that meet specific requirements.
How Can Captain Compliance Help?
Personally identifiable information and protected health information both include consumer data that your business is legally required to protect.
At Captain Compliance, we offer A-Z compliance services for businesses in any industry. With our expertise to help your business protect PII and PHI, we can ensure your compliance with HIPAA, GDPR, CCPA, and other data protection laws.