PHI vs. PII
If you work within the healthcare industry, you should already know that protecting private patient information is one of the chief concerns of HIPAA. Within the law, HIPAA defines this valuable information as Protected Health Information, or PHI, which is very similar to Personally Identifiable Information, or PII, which is the terminology used in other forms of compliance.
Organizations can’t be sure to protect all the information they need to if they don’t understand what that information includes. Although these terms are similar, they are not interchangeable, so we will define each individually. The distinction may seem difficult, but we are here to help you understand all the overlaps and differences between PHI and PII.
Personally Identifiable Information
Definition of PII
Personally Identifiable Information, or PII, is a general term that is used to describe any form of sensitive data that could be used to identify or contact an individual. This term is not related to HIPAA and is not regulated by any one entity or in any one industry like PHI is.
Examples of PII
PII has historically been known to just include social security numbers, phone numbers, mailing or email addresses. However, as technology and software have advanced, the breadth of PII has also expanded. PII can also include login IDs, digital images, IP addresses, social media posts and other digital forms of data.
PII Confidentiality Impact Level
When it comes to keeping PII secure and confidential, it is important to understand the extent of the risk and potential harm that could come to that information. That is why NIST, the National Institute of Standards and Technology has created a 61-page document guide to keeping PII confidential. Within this guide, they have developed what they call the “PII Confidentiality Impact Levels.” This scale determines the potential harm that would come to the individuals if this PII was disclosed, used or accessed in an unauthorized manner.
The PII confidentiality impact levels are defined as low, medium and high and range by the “adverse effects” that would come to the individual whose information was lost. Adverse effects meaning the unwanted, negative consequences (physical, social or financial) that could come to the individual whose information it is or the organization who is responsible for the breach. More information about the definition of each impact level, the factors that determine risk and examples of each level can be found here.
Protected Health Information
Definition of PHI
Protected Health Information, or PHI, is any medical information that can potentially identify an individual, that was created, used or disclosed in the course of providing healthcare services, whether it was a diagnosis or treatment.
PHI can include information about:
- The past, present, or future physical health or condition of an individual
- Healthcare services rendered to an individual
- Past, present, or future payment for the healthcare services rendered to an individual, along with any of the identifiers shown below.
Examples of PHI
Under the Privacy Rule, there are 18 identifiers that are considered PHI:
- Full names or last name and initial
- All geographical identifiers smaller than a state
- Dates (other than year) directly related to an individual such as birthday or treatment dates
- Phone Numbers including area code
- Fax Number(s)
- Email Address(es)
- Social Security Number
- Medical Record Numbers
- Health Insurance Beneficiary Numbers
- Bank Account Numbers
- Certificates/Drivers License Numbers
- Vehicle Identifiers (including VIN and license plate information)
- Device Identifiers and Serial Numbers
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) Address Numbers
- Biometric Identifiers, including fingerprints, retinal, genetic information, and voice prints
- Full Face Photographs and any comparable images that can identify an individual
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
PHI & HIPAA Compliance
Now that we’ve discussed what PHI is and how it is different from PII, it is important to talk about what to do to protect PHI according to the rules and regulations of HIPAA. The HIPAA Security Rule requires organizations to take proactive measures against threats to the sanctity of PHI. Organizations must implement administrative, technical, and physical safeguards to ensure the confidentiality and integrity of the PHI under their care. However, aside from saying that safeguards must be implemented, the “how” is left to the discretion of the individual organization, which can be frustrating for the organization in question because when the cost of non-compliance can be so high, they don’t know what they need to do to be compliant.
Accountable exists to make HIPAA compliance as easy and straightforward for organizations of all shapes and sizes. We have created a framework that walks you through adopting necessary policies and procedures, training your employees, identifying risks within your organization and spending more of your time working on your important work. Plus, it’s free to take the first steps towards compliance with us today!