PHI or PII – What’s the Difference?

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

The terms protected health information (PHI) and personally identifiable information (PII) are often used interchangeably. But while they may sound like the same thing, there are differences that set them apart, and that is especially true when it comes to HIPAA.

What’s the difference?

PII is any information that can be traced to a person’s identity. PHI applies to HIPAA-covered entities that contain identifiable health information. Assuming that you can use them for the same purpose can lead to compliance issues for any healthcare business. Let’s look at the main differences and how you can take measures to protect PHI and maintain a HIPAA-compliant business.

According to the National Institute of Standards and Technology (NIST), personally identifiable information “is not created equal” and should only be collected if absolutely necessary in order to minimize the level of impact should a breach occur. PII can be directly or indirectly linked to a person’s identity. For example, a telephone number can identify a group of people, but a social security number can identify an individual. They are both PII but will have different consequences to the individual if they are obtained.

Other types of PII include:

  • Passport numbers
  • Driver’s license numbers
  • Address
  • Email Address
  • Biometric data
  • Medical information
  • Financial Information
  • Employment data
  • Educational information

The medical information can be both PII and PHI. Consider the protected health information as a subset of the personally identifiable information that specifically refers to the health information of the individual that is shared with HIPAA-covered entities. This type of data includes lab reports or medical records, and any of the individual’s past, present, or future physical and mental health. When financial information pertains to medical bills, it is also considered to be PHI.

Organizations can remove the PHI of PII by removing the 18 elements of PHI. Instructions from the U.S. Department of Health & Human Services on how to do this properly can be found here.

End to End Protection

A business must put the protection of both PII and PHI at the top of its priorities, which means ensuring that both HIPAA compliance and cybersecurity measures are in place. NIST makes note that “an organization cannot properly protect PII it does not know about”. A security risk assessment can assist with identifying this type of information as well as any security gaps that your business needs to remedy.

This article was originally published on HIPAA Secure Now! and is republished here with permission.