PII or PHI? Definitions, Key Differences, and Compliance Examples

PII Definition

Personally Identifiable Information (PII) is any data that can identify, contact, or precisely locate a specific person, or that can be combined with other data to do so. You encounter PII across HR files, customer accounts, marketing platforms, and identity verification systems.

What counts as PII

PII includes direct identifiers (name, Social Security number, driver’s license, biometric templates) and quasi-identifiers that narrow identity in combination (date of birth, ZIP code, precise geolocation, device identifiers). Sensitive PII—such as government IDs, financial account numbers, and authentication credentials—demands heightened protection.

Context and de-identification

Context matters: a ZIP code alone may not identify you, but paired with birthdate and gender it often can. To reduce risk, organizations commonly apply de-identification techniques like aggregation, tokenization, or pseudonymization; however, only robust anonymization that prevents re-identification should be treated as outside most privacy regimes.

PHI Definition

Protected Health Information (PHI) is a subset of personal information that relates to a person’s health status, care, or payment for care, when created or maintained by a HIPAA-covered entity (such as a healthcare provider, health plan, or clearinghouse) or its business associate. PHI can exist in any format—paper, verbal, or electronic (ePHI).

Elements and scope

PHI ties health-related data to one or more personal identifiers (for example, treatment notes with a medical record number, claims with a member ID, or lab results linked to a name). Common identifiers include names, addresses, dates, phone numbers, email addresses, account numbers, full-face photos, and unique device or biometric identifiers when linked to health information.

What is not PHI

Not all health-related data is PHI. For instance, wellness data collected by a direct-to-consumer app that is not acting for a covered entity is typically PII, not PHI. Similarly, employment records held by an employer in its role as employer (outside a group health plan) are generally not PHI.

Key Differences Between PII and PHI

Scope and context

PII is broad and cross-industry. PHI is narrower: it is health-related personal information in the custody of covered entities or business associates. The same heart-rate reading might be PII in a fitness app, but PHI inside a hospital’s remote monitoring program.

Legal triggers

PII is primarily governed by consumer and data protection laws (for example, GDPR Compliance and CCPA Regulations), while PHI is governed by HIPAA’s Privacy, Security, and Breach Notification Rules. Your obligations change based on which regime applies to the dataset and the role you play.

Data elements and standards

Both categories involve identifiers, but PHI has healthcare-specific rules like the Minimum Necessary Standard and strict disclosure authorizations. De-identification standards also differ; HIPAA outlines defined pathways to treat data as de-identified, whereas consumer privacy laws rely on concepts like anonymization or pseudonymization with different thresholds.

Individual rights and disclosures

Under consumer privacy laws, individuals may have rights to access, delete, correct, and opt out of certain uses of PII. Under HIPAA, individuals have rights to access and obtain copies of their PHI and receive a Notice of Privacy Practices, with additional constraints on uses and disclosures for treatment, payment, and healthcare operations.

Regulatory Frameworks Governing PII and PHI

HIPAA Privacy Rule

The HIPAA Privacy Rule governs how covered entities and business associates use and disclose PHI, when you must obtain patient authorizations, what the Minimum Necessary Standard requires, and how to honor access requests. The HIPAA Security Rule adds safeguards for ePHI, and the Breach Notification Rule requires timely notices after certain incidents.

GDPR Compliance

GDPR applies to personal data of people in the EU/EEA, regardless of your location if you target those individuals. You must establish a lawful basis for processing, uphold principles like data minimization and purpose limitation, implement Data Protection by Design and by Default, and support data subject rights. Health data is a special category requiring additional conditions to process.

CCPA Regulations

California’s CCPA (as amended) provides California residents rights to know, access, delete, correct, and opt out of the sale or sharing of personal information, with additional limits for sensitive personal information. You must provide clear notices at or before collection, honor opt-out signals, maintain reasonable security, and ensure service providers and contractors are bound by written agreements.

Compliance Measures for PHI

Administrative safeguards

• Perform an enterprise-wide risk analysis covering all ePHI systems; track remediation with a prioritized plan.
• Designate privacy and security officers; maintain policies for the HIPAA Privacy Rule, Security Rule, sanctions, and incident response.
• Train your workforce initially and at least annually; reinforce the Minimum Necessary Standard and proper disclosures.
• Execute Business Associate Agreements (BAAs) with vendors that create, receive, maintain, or transmit PHI on your behalf.

Technical safeguards

• Implement strong Access Controls: unique user IDs, least-privilege role design, multi-factor authentication, and automatic logoff.
• Use Data Encryption for ePHI in transit (TLS) and at rest (industry-standard algorithms); manage keys securely and separately.
• Enable audit logging and immutable logs; regularly review access, privilege changes, and anomalous activity.
• Maintain integrity controls (checksums, hashing), secure backups, and tested disaster recovery and business continuity plans.

Physical safeguards

• Control facility access; secure networking closets and server rooms; escort visitors in restricted areas.
• Protect devices with screen privacy, cable locks, and secure storage; use mobile device management with remote wipe.
• Dispose of media securely using shredding or certified destruction; sanitize drives before reuse or return.

Operational practices

• Publish a clear Notice of Privacy Practices; obtain patient authorizations where required.
• Adopt a robust breach response plan, including assessment, containment, forensics, individual notification without unreasonable delay, and preventive follow-ups.
• Conduct periodic technical testing (vulnerability scans, penetration tests) tailored to ePHI systems and high-risk workflows.

Compliance Measures for PII

Governance and accountability

• Map data flows end-to-end; maintain a record of processing activities describing purposes, categories, retention, and recipients.
• Establish a lawful basis where required (for example, consent, contract) and document it; embed privacy by design in product and engineering lifecycles.
• Adopt data minimization and purpose limitation; prohibit secondary uses without a compatible basis or fresh consent.

Transparency and individual rights

• Provide notices at or before collection detailing categories, purposes, retention, and rights.
• Operationalize requests to access, delete, correct, or opt out; verify identity and respond within statutory timelines.
• Honor “Do Not Sell or Share” choices and global opt-out signals; offer a simple path to limit sensitive data uses under CCPA Regulations.

Security controls

• Apply layered security: Access Controls, network segmentation, endpoint protection, and secure software development practices.
• Use Data Encryption for data in transit and at rest; tokenize or pseudonymize identifiers used for analytics and testing.
• Set retention schedules; automatically purge or archive PII when no longer needed; document secure disposal.

Vendors and cross-border transfers

• Conduct vendor due diligence; sign data processing or service provider agreements with clear instructions and security requirements.
• Assess cross-border transfer mechanisms where applicable; implement supplemental safeguards based on risk.
• Monitor vendors with periodic reviews, security attestations, and audit rights.

Practical Examples of PII and PHI Protection

Example 1: Telehealth platform (PHI)

You partner with clinics to deliver video visits. Because you handle ePHI as a business associate, you execute BAAs, enforce role-based Access Controls for care teams, encrypt recordings at rest and in transit, and maintain detailed audit logs. You share only the Minimum Necessary PHI for billing.

Example 2: Retail e-commerce site (PII)

You collect emails, shipping addresses, and device IDs. You provide a notice at collection, honor opt-out requests for targeted ads, and limit access to PII to support and fulfillment teams. Data Encryption protects stored customer records, and you purge abandoned-cart PII after a defined retention period.

Example 3: Research dataset (de-identified)

Your hospital de-identifies PHI before analytics by removing direct identifiers and applying aggregation or date-shifting. Researchers access only coded datasets in a segregated environment with strict Access Controls. Re-identification keys are stored separately by a limited team.

Example 4: Employer benefits vs. HR files

Your company sponsors a group health plan; plan records containing claims are PHI and must follow HIPAA rules. Performance reviews and general HR personnel files are PII, not PHI, and follow your consumer/privacy policy and applicable labor laws.

Example 5: Wearable device data

Heart-rate data collected by a direct-to-consumer wearable is typically PII. If a hospital enrolls patients in a remote monitoring program using the same device and receives the readings for treatment, those readings become PHI within the hospital’s environment.

Example 6: Incident response

A stolen laptop containing unencrypted customer addresses (PII) triggers consumer privacy notifications under applicable law. If it contains unencrypted ePHI, you also assess HIPAA breach obligations, notify affected individuals without unreasonable delay, and implement corrective actions like enforced full-disk encryption and MDM.

Conclusion

PII covers identity-related data across industries, while PHI is health-related personal data handled by covered entities or their business associates. Align your program to the right rule set—HIPAA Privacy Rule for PHI and consumer privacy laws like GDPR Compliance and CCPA Regulations for PII—then implement layered safeguards such as Data Encryption, strong Access Controls, vendor oversight, and disciplined retention to reduce risk and prove compliance.

FAQs.

What distinguishes PII from PHI?

PII is any information that can identify a person in any context. PHI is health-related personal information created or held by HIPAA-covered entities or their business associates. The same data point can shift categories based on who holds it and why—for example, a pulse reading in a hospital record is PHI, but the same reading in a consumer fitness app is typically PII.

How does HIPAA regulate PHI?

HIPAA sets rules for how PHI can be used and disclosed, requires safeguards for ePHI, and mandates breach notifications after certain incidents. The HIPAA Privacy Rule establishes allowed uses (such as treatment, payment, and healthcare operations), individual access rights, the Minimum Necessary Standard, and the need for Business Associate Agreements with vendors.

What are common compliance requirements for PII?

Core requirements include transparent notices, a lawful basis where applicable, honoring rights to access, delete, correct, and opt out, and maintaining reasonable security. In practice, you implement privacy by design, minimize collection, set retention limits, encrypt data, enforce Access Controls, and manage vendors under written contracts.

Can PHI be shared under GDPR?

Yes, but only under GDPR’s strict conditions for special-category data. You must have an appropriate legal basis and a specific condition permitting processing of health data (for example, medical care, public interest in public health, or explicit consent), apply data minimization, and use strong security such as encryption and access restrictions.