Beginner’s Guide to PII vs PHI: What They Are, Key Differences, and Examples

If you work with personal or health data, you must distinguish Personally Identifiable Information (PII) from Protected Health Information (PHI). This beginner’s guide to PII vs PHI clarifies what each term means, how they differ, and what that means for data privacy compliance.

You’ll also see how major laws—the Health Insurance Portability and Accountability Act, the General Data Protection Regulation, and the California Consumer Privacy Act—treat these data types, plus practical examples and FAQs to help you apply the concepts.

Definition of Personally Identifiable Information

Personally Identifiable Information is any data that directly identifies you or can reasonably be linked to you. The definition is broad and context-dependent, covering both obvious identifiers and data that becomes identifying when combined.

Direct vs. indirect identifiers

• Direct identifiers: full name, Social Security number, driver’s license number, email address, phone number, precise geolocation, biometric templates.
• Indirect (quasi) identifiers: birth date, ZIP code, device IDs, IP address, demographic traits that, together, can single you out.

Sensitive PII and de-identification

Sensitive PII includes data that, if misused, could cause serious harm—financial, identity, or physical. Examples include government IDs, financial account numbers, or authentication credentials.

De-identified or anonymized data aims to remove the reasonable link to you. Pseudonymized data still carries re-identification risk and remains regulated under many frameworks.

How laws label PII

Different laws use different labels for similar concepts. The GDPR calls it “personal data,” while the CCPA refers to “personal information.” Each framework defines scope and rights in its own way, but all are centered on information linked to an identifiable person.

Definition of Protected Health Information

Protected Health Information is a subset of personal information defined by HIPAA. PHI is individually identifiable health information created, received, maintained, or transmitted by a HIPAA covered entity or its business associate, in any form (paper, electronic, oral).

What PHI includes

PHI covers medical histories, diagnoses, lab results, treatment plans, claims, billing details, and any identifiers attached to those data. It also includes demographic and payment data when linked to health information.

Context and custodians matter

The same data can be PHI or not, depending on who holds it. Heart-rate data in a hospital’s EHR is PHI; the identical data in a consumer fitness app may be personal data but not PHI if the app isn’t a covered entity or business associate.

De-identified health data under HIPAA

HIPAA excludes de-identified data when either an expert determines minimal re-identification risk or specified identifiers are removed under the “safe harbor” method. Once properly de-identified, the information is no longer PHI.

Key Differences Between PII and PHI

Scope

PII is any information that identifies you across contexts. PHI is health-related personal information in the hands of HIPAA-regulated entities. All PHI is personal information, but not all personal information is PHI.

Who is regulated

PHI obligations attach to covered entities (providers, health plans, clearinghouses) and business associates. PII obligations depend on the governing law, which can apply to many types of businesses, not just healthcare.

Legal obligations

HIPAA imposes privacy, security, and breach-notification requirements tailored to healthcare. Laws governing PII (such as GDPR and CCPA) focus on transparency, lawful bases, individual rights, and limits on selling or sharing data.

Rights and controls

For PII, you often have rights to access, delete, correct, and limit use (e.g., under GDPR and CCPA). For PHI, you have HIPAA rights like access, amendment, restrictions in certain cases, and an accounting of disclosures.

Breach response

HIPAA sets specific breach-notification timelines and content for PHI incidents. PII breaches are governed by a mix of state, federal, and international laws with varying triggers and deadlines.

Examples of PII and PHI

Common PII examples

• Name, home address, email, phone number.
• Government IDs (SSN, passport, driver’s license).
• Account credentials, payment card numbers, bank details.
• IP address, device IDs, cookie IDs, precise location, biometrics.
• Employment history, education records, consumer preference profiles.

Common PHI examples

• Medical records, diagnoses, medications, lab and imaging results.
• Visit notes, referrals, care plans, immunization records.
• Claims, explanation of benefits, billing and payer information linked to a patient.
• Appointment schedules, patient portal messages tied to an individual.
• Any of the above when held by a covered entity or business associate and linked to a person.

Borderline scenarios

• Wearable health metrics: PHI if generated or handled by a covered entity/business associate; otherwise personal data subject to consumer privacy laws.
• Aggregated analytics: typically not PII or PHI if de-identified to accepted standards.

Regulatory Frameworks for PII and PHI

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA’s Privacy, Security, and Breach Notification Rules govern PHI handled by covered entities and business associates. Compliance centers on safeguards, minimum necessary use, and proper disclosures. Violations (HIPAA violations) can trigger investigations, corrective action, and substantial penalties.

GDPR (General Data Protection Regulation)

The GDPR applies to personal data of people in the EU and EEA, imposing principles like lawfulness, fairness, transparency, purpose limitation, and data minimization. Health data is a “special category,” requiring additional safeguards or specific legal bases.

CCPA (California Consumer Privacy Act)

The CCPA, as amended, grants California residents rights to know, delete, correct, and opt out of certain data uses, including selling or sharing. It also establishes duties for businesses around disclosures, sensitive personal information, and retention limits.

Other sectoral laws

In the U.S., additional laws may apply depending on context, such as GLBA (financial), FERPA (education), and COPPA (children’s data). Organizations often face overlapping obligations and should align programs to meet the strictest applicable standard.

Entities Handling PII and PHI

Who handles PII

Retailers, financial institutions, employers, software providers, data brokers, ad-tech platforms, and many other organizations routinely process PII for operations, analytics, personalization, and security.

Who handles PHI

Healthcare providers, health plans, and clearinghouses are covered entities. Their vendors—EHR platforms, cloud providers, billing firms, and analytics partners—are business associates and must sign Business Associate Agreements that bind them to HIPAA duties.

Non-covered health apps

Consumer wellness apps may process health-related PII without being subject to HIPAA. These apps still have obligations under consumer privacy and security laws, app store policies, and promises made in their privacy notices.

Consent and Penalties for Violations

Consent and authorization

Under HIPAA, many core uses (treatment, payment, healthcare operations) do not require patient authorization, but uses beyond those typically do. GDPR generally requires a lawful basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests), with stricter rules for health data. The CCPA emphasizes transparency and grants opt-out rights for selling or sharing, plus controls for sensitive personal information.

Penalties and enforcement

HIPAA violations can lead to tiered civil penalties and, for egregious misconduct, criminal liability. GDPR authorizes substantial administrative fines. The CCPA is enforced by state authorities and allows statutory damages for certain security breaches. Strong governance, risk assessments, and training reduce exposure across all regimes.

In practice, sustained data privacy compliance requires role-based access, encryption, audit logging, vetted vendors, and incident response plans that satisfy HIPAA and consumer privacy rules simultaneously.

FAQs

What is the difference between PII and PHI?

PII is any information that identifies you across contexts. PHI is health-related personal information handled by HIPAA-regulated entities or their business associates. The same data can be PHI in a hospital’s system but only PII in a consumer app.

Which regulations govern PII and PHI?

PHI is governed primarily by HIPAA. PII is governed by frameworks like the GDPR in the EU and the CCPA in California, alongside sector-specific and state data-breach laws.

What are common examples of PII and PHI?

PII includes names, contact details, government IDs, account numbers, IP addresses, and precise location. PHI includes diagnoses, medications, lab results, claims, and any identifiers attached to health information in a HIPAA-covered context.

How are consent requirements different for PII and PHI?

HIPAA allows many core healthcare uses without patient authorization but requires authorization for nonroutine uses. GDPR often requires a lawful basis and tighter controls for health data. The CCPA emphasizes notices, opt-outs for selling or sharing, and additional controls for sensitive personal information.