PHI vs PII vs ePHI: What They Mean, Key Differences, and HIPAA Compliance Tips
Understanding Personally Identifiable Information
Personally Identifiable Information (PII) is any data that can identify a specific person, either directly or when combined with other data. It spans everyday identifiers and digital traces and is not limited to healthcare settings.
Common examples include:
- Direct identifiers: full name, mailing address, email, phone number, Social Security number, driver’s license number.
- Quasi-identifiers: date of birth, ZIP code, IP address, device or advertising IDs, and other unique identifiers that can enable re-identification when linked together.
PII becomes especially sensitive when you aggregate multiple data points. However, aggregated or properly anonymized information that cannot reasonably identify a person is not PII. Unlike PHI, PII is a broad category that applies across industries; whether it triggers HIPAA obligations depends on context and the type of entity handling the data.
Defining Protected Health Information
Protected Health Information (PHI) is individually identifiable health information created, received, maintained, or transmitted by a covered entity or its business associates that relates to a person’s health status, healthcare, or payment for care. In short, PHI is PII in a healthcare context handled by regulated organizations.
Typical PHI elements include:
- Clinical details: diagnoses, medications, lab results, visit notes, imaging, treatment plans.
- Administrative and billing data: medical record numbers, claim or account numbers, insurance member IDs.
- Identifiers linked to health context: names, addresses, phone numbers, dates of service, and other data that tie back to the individual’s care.
Context matters. The exact same data element (for example, an email address) may be PHI when collected by a hospital for appointment reminders, but only PII when collected by a non-health website for a newsletter. If the information is health-related and handled by covered entities or business associates, treat it as PHI.
Exploring Electronic Protected Health Information
Electronic Protected Health Information (ePHI) is PHI that is created, stored, processed, or transmitted in electronic form. The content is the same as PHI; the medium is digital. Because ePHI is portable and scalable, it carries unique security risks and is the focus of the HIPAA Security Rule.
Common sources of ePHI include:
- Electronic health records, patient portals, telehealth platforms, and e-prescribing systems.
- Emails, secure messages, file shares, cloud storage, endpoint backups, and mobile devices.
- System logs and metadata that can reveal patient context when combined with identifiers.
HIPAA Privacy and Security Rules Overview
HIPAA Privacy Rule
The HIPAA Privacy Rule governs how covered entities and business associates use and disclose PHI. It requires the “minimum necessary” standard, defines permissible uses and disclosures (such as treatment, payment, and healthcare operations), and grants individuals rights to access, obtain copies, request amendments, and receive an accounting of certain disclosures.
Privacy compliance is policy- and process-heavy: you must provide a Notice of Privacy Practices, manage authorizations, restrict inappropriate access, and enforce sanctions for violations. Clear role definitions and data-sharing boundaries prevent routine operations from drifting into noncompliance.
HIPAA Security Rule
The HIPAA Security Rule applies specifically to ePHI and establishes administrative, physical, and technical safeguards. It is risk-based, meaning you select controls proportional to your risks while meeting core requirements.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
- Administrative: risk assessments, risk management, workforce training, assigned security responsibility, vendor oversight, and incident response planning.
- Physical: facility access controls, workstation security, device/media controls, and secure disposal.
- Technical: access controls (unique IDs, MFA), audit controls (logging and monitoring), integrity protections, transmission security, and data encryption.
Implementing HIPAA Compliance Measures
Translate the rules into daily practice with an actionable program that distinguishes PII, PHI, and ePHI while embedding safeguards across people, process, and technology.
- Perform risk assessments regularly: map data flows, classify assets, identify threats and vulnerabilities, rate likelihood/impact, and track remediation in a risk register.
- Apply data encryption: protect ePHI in transit (current TLS) and at rest (strong, modern encryption); manage keys securely and enforce device encryption for laptops and mobile devices.
- Enforce least privilege access: use role-based access, multifactor authentication, periodic access reviews, and timely offboarding.
- Strengthen monitoring and audits: capture logs for access and changes to ePHI, review them routinely, and alert on anomalous behavior.
- Harden systems and applications: patch promptly, secure configurations, segment networks, and validate third-party integrations that handle ePHI.
- Prepare for incidents: maintain an incident response plan, run tabletop exercises, define breach notification workflows, and document post-incident lessons learned.
- Ensure resilience: implement tested backups, disaster recovery, and continuity plans to protect availability and integrity of ePHI.
- Train your workforce: provide role-based training on the HIPAA Privacy Rule and HIPAA Security Rule, phishing awareness, and acceptable use.
- Manage vendors: execute Business Associate Agreements, review security evidence, and require subcontractor compliance where applicable.
- Minimize and govern data: collect only what you need, set retention schedules, and securely dispose of media that contained ePHI.
De-identification of PHI
De-identification of PHI allows you to use and share health data with far fewer restrictions by removing the ability to identify individuals. HIPAA recognizes two methods.
Safe Harbor method
Remove specific direct identifiers (for example, names, phone numbers, email addresses, account numbers, full-face photos, and biometric identifiers), plus other listed elements such as precise dates and small-area geography, and have no actual knowledge that the remaining data could identify a person. When done correctly, the resulting data is no longer PHI.
Expert Determination method
A qualified expert applies statistical or scientific principles to determine the risk of re-identification is very small, documents the methods and results, and establishes conditions for use and safeguards. This route preserves more utility but requires rigor and ongoing review.
Remember: pseudonymized or coded data can still be PHI if re-identification is reasonably possible. Limited Data Sets remove many identifiers but remain PHI and require a data use agreement. Maintain documentation for whichever approach you use.
Managing Business Associate Agreements
Business associates are vendors or partners that create, receive, maintain, or transmit PHI or ePHI on your behalf—such as cloud providers, billing services, claims processors, telehealth platforms, and analytics firms. If a vendor can access ePHI (even if access is infrequent), a Business Associate Agreement (BAA) is typically required.
Effective BAAs should:
- Define permitted and required uses/disclosures of PHI and prohibit other uses.
- Bind the business associate to implement safeguards aligned with the HIPAA Security Rule and to comply with applicable portions of the HIPAA Privacy Rule.
- Require prompt breach and security incident reporting and cooperation during investigations.
- Flow down obligations to subcontractors that handle PHI.
- Address return or destruction of PHI upon contract termination and outline audit or assessment rights.
Before signing, perform due diligence: review the vendor’s security controls, encryption standards, risk assessments, and operational practices; confirm they can meet availability and incident response commitments. Reassess high-risk vendors periodically and document oversight activities.
Conclusion
PII identifies people; PHI is identifiable health information handled by covered entities or business associates; ePHI is PHI in electronic form. Building compliance around these distinctions—through risk assessments, strong data encryption, disciplined access control, vigilant monitoring, robust vendor BAAs, and thoughtful de-identification—helps you meet HIPAA Privacy Rule and HIPAA Security Rule requirements while preserving data utility and trust.
FAQs
What is the difference between PHI and PII?
PII is any information that identifies a person in any context. PHI is a subset: identifiable health information connected to care, payment, or health status that is created, received, maintained, or transmitted by covered entities or their business associates. The same identifier (like an email) is PHI only when tied to a healthcare context under HIPAA.
How does ePHI differ from PHI?
ePHI is PHI in electronic form—EHR entries, portal messages, cloud backups, emails, and similar digital artifacts. The HIPAA Security Rule specifically targets ePHI with administrative, physical, and technical safeguards, while paper PHI is governed primarily by the HIPAA Privacy Rule and relevant physical controls.
What are the key HIPAA compliance requirements for protecting ePHI?
Core requirements include conducting documented risk assessments, managing risks, enforcing least-privilege access with MFA, implementing data encryption in transit and at rest, maintaining audit logs and regular reviews, training the workforce, preparing for incidents and breach notifications, ensuring reliable backups and disaster recovery, and executing Business Associate Agreements with vendors that handle ePHI.
How do Business Associate Agreements impact HIPAA compliance?
BAAs extend HIPAA obligations to vendors that handle PHI or ePHI, requiring them to implement safeguards, restrict use and disclosure, report incidents, and impose the same duties on subcontractors. Well-crafted BAAs, paired with vendor due diligence and ongoing oversight, close a major compliance gap and help you manage third-party risk effectively.
Table of Contents
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.