Difference Between PHI vs PII: Definition & Examples

Understanding the difference between PHI vs PII is essential for anyone handling sensitive data—especially in healthcare and regulated industries. While these terms are often used interchangeably, they have distinct meanings, unique identifiers, and are governed by different laws. Making the right distinctions isn’t just a matter of best practice—it’s a critical compliance step with real-world consequences.

Personally identifiable information (PII) and protected health information (PHI) both refer to data that can pinpoint an individual, but PHI is a subset that specifically relates to health, healthcare services, and payments. This subtle difference impacts how organizations must manage, de-identify, and pseudonymize data, and which regulations apply—such as HIPAA for PHI, and GDPR or CCPA for PII.

Knowing what counts as PHI or PII, and when, can protect your organization from legal missteps and privacy breaches. In this article, we’ll clarify the definitions, share practical examples, and break down key compliance requirements like data inventory, lawful basis for processing, and the minimum necessary standard.

Let’s dive in, so you can confidently tell the difference, secure your data, and meet your regulatory obligations with ease.

Definitions: PHI vs PII

Personally identifiable information (PII) and protected health information (PHI) are related, but each term has a specific definition and regulatory framework. Getting these distinctions right is key to building a robust data inventory, applying the principle of minimum necessary, and ensuring compliance with laws like HIPAA, GDPR, and CCPA.

PII refers to any data that could identify a specific individual, either alone or when combined with other information. This category is broad and includes everything from a person’s name and email address to less obvious identifiers like IP addresses or login credentials. PII is a foundational concept in privacy laws such as GDPR and CCPA, which require organizations to identify, protect, and use this data lawfully—often with a clear lawful basis such as consent, contract, or legitimate interest.

• Examples of PII: Full name, home address, phone number, email address, Social Security Number, driver’s license, bank account details, and any unique digital identifiers.
• PII Identifiers: Not limited to one industry—PII covers information used in finance, retail, technology, and more.
• PII and De-identification: Once PII is de-identified or pseudonymized to the point it cannot be linked back to an individual without additional information, it may fall outside certain regulatory requirements. However, the standards for de-identification under GDPR and CCPA are strict, and pseudonymization does not always remove all obligations.

PHI, on the other hand, is a subset of PII that specifically relates to health information created, received, or maintained by covered entities (like healthcare providers and insurers) or their business associates. What makes PHI unique is the context: it is tied to the provision of healthcare, payment for healthcare, or a person’s physical or mental health status. PHI is strictly regulated by the HIPAA Privacy and Security Rules in the U.S., requiring organizations to apply the minimum necessary standard when using or disclosing health data.

• Examples of PHI: Medical records, diagnosis codes, treatment information, health insurance details, lab results, and any identifiers linked to health data (such as patient names, birth dates, or medical record numbers).
• PHI Identifiers: HIPAA lists 18 specific identifiers that qualify health data as PHI when combined with health-related information. These include everything from biometric data to photographs and device IDs.
• PHI and De-identification: HIPAA allows for PHI to be de-identified through approved methods, at which point the data is no longer regulated as PHI. However, the process must remove all 18 identifiers or use expert determination to ensure the risk of re-identification is very small.

In summary, the key difference between PHI vs PII lies in the type of information, the context in which it’s collected, and the regulatory requirements attached. PHI is always health-related and regulated by HIPAA, while PII is broader and regulated by laws like GDPR and CCPA. Both require ongoing data inventory management, a lawful basis for processing, and strategies like de-identification and pseudonymization to reduce risk and meet the minimum necessary standard.

Core Overlap: All PHI is PII but Not All PII is PHI

When it comes to PHI vs PII, the key overlap is that every piece of protected health information (PHI) is also personally identifiable information (PII), but not every piece of PII qualifies as PHI. This distinction matters because it influences how organizations must handle, secure, and process sensitive data under various privacy laws and standards.

Let’s break down why this overlap exists:

• PHI always contains identifiers: PHI includes health-related data that can identify an individual, such as medical records, treatment details, or billing information. But for it to be PHI, it must both relate to health and be linked to an identifiable person. This means it always contains elements of PII—like names, dates of birth, or contact information.
• PII doesn’t need to be health-related: PII, on the other hand, is any information that can be used to identify someone, regardless of context. This could be a phone number, email, or even a device ID. If there’s no health aspect involved, it doesn’t fall under PHI, even though it’s still sensitive and regulated.

What does this mean in practice? If you’re maintaining a data inventory, you’ll likely encounter records that contain both health and non-health identifiers. For example, a patient’s address on a medical bill is PHI (because it’s linked to healthcare), but the same address in a marketing database would only be PII.

De-identification and pseudonymization are critical tools: Both HIPAA and global privacy laws like GDPR and CCPA encourage or require the removal or masking of identifiers when possible. De-identification removes all direct and indirect identifiers, making the information no longer PHI or PII by law. Pseudonymization replaces identifiers with coded references, still offering privacy but allowing data to be re-linked if necessary under controlled conditions.

Why does the overlap matter?

• Regulatory requirements vary: HIPAA strictly regulates PHI, while GDPR, CCPA, and similar laws regulate PII. Understanding what data falls under which category ensures that you apply the right security measures, respect data subject rights, and only process data with a lawful basis.
• The “minimum necessary” principle: In both PHI and PII management, organizations are expected to limit data access and sharing to the minimum necessary for the intended purpose. This reduces risk and helps meet compliance obligations.

In summary, all PHI is PII because it’s inherently identifiable and sensitive—but the reverse isn’t true. Recognizing this relationship is foundational to building compliant data handling practices across healthcare and beyond. By understanding the overlap and where the line is drawn, we can apply the right controls and protect individuals’ privacy with confidence.

Key Distinction: PHI is PII specifically related to Health/Healthcare/Payment

The key distinction between PHI and PII boils down to the context and content of the information. All PHI is PII, but not all PII qualifies as PHI. What sets PHI apart is its direct connection to health information, healthcare services, and healthcare payments. Let’s break down what this means in practice so you can confidently navigate regulatory requirements and safeguard your data.

PHI is PII—but specifically within a healthcare context. Think of PHI as a subset of PII that contains health-related details. If you have a piece of information that identifies an individual and relates to their medical history, diagnoses, treatments, or payment for healthcare services, it’s PHI. If it’s just information that can identify someone—but isn’t tied to health or healthcare—it’s considered PII.

• PII (Personally Identifiable Information): Any data that can be used to identify a person, such as a name, Social Security number, or email address. It’s a broad category that applies across industries and is regulated by laws like GDPR and CCPA.
• PHI (Protected Health Information): A narrower category defined by HIPAA. PHI includes any identifiable information about health status, provision of healthcare, or payment for healthcare that is created or collected by a covered entity or business associate.

For example, a mailing address is PII. If that address appears on a medical bill or a health insurance claim, it becomes PHI because it’s now connected to healthcare services or payments. The context transforms generic identifiers into protected health data.

Why does this distinction matter? The answer lies in compliance obligations. HIPAA, for instance, imposes strict rules on how PHI is used, disclosed, and protected—including the minimum necessary standard, requirements for de-identification and pseudonymization, and the need for a valid lawful basis to process data. In contrast, regulations like GDPR and CCPA set out requirements for PII that may not involve health information at all.

Building an effective data inventory is crucial here. Organizations must know what information they collect, store, and share—and whether it’s PHI or PII—so they can apply the right safeguards and respond swiftly to compliance requests or incidents. Always ask: Is this data just identifying someone, or does it reveal something about their health or healthcare? That’s the line between PII and PHI.

In summary, PHI is a special category of PII that carries extra regulatory weight because of its association with health and healthcare. Knowing the difference helps us apply the right controls, demonstrate compliance, and—most importantly—protect individuals’ most sensitive information.

Governing Regulations: HIPAA for PHI

HIPAA (Health Insurance Portability and Accountability Act) is the cornerstone regulation for safeguarding Protected Health Information (PHI) in the United States. If your organization handles any PHI—whether you’re a healthcare provider, insurer, or business associate—HIPAA compliance isn’t optional. It’s the law, and the stakes are high.

HIPAA sets out strict requirements for how PHI must be collected, used, disclosed, and protected. These requirements are more prescriptive than those surrounding general personally identifiable information (PII), and they focus specifically on health-related data that can identify an individual.

• Privacy Rule: Restricts how PHI can be used and disclosed, ensuring individuals’ health information is only accessible to those with a legitimate need. It also grants patients rights over their information, including access and amendment rights.
• Security Rule: Requires covered entities and business associates to implement administrative, technical, and physical safeguards to protect PHI in electronic form (ePHI). This extends to access controls, encryption, audit logs, and secure data transmission.
• Breach Notification Rule: Mandates timely notification of affected individuals, the government, and in some cases, the media, if a breach of unsecured PHI occurs.

HIPAA goes beyond simply defining identifiers and confidentiality—it requires organizations to adopt a proactive, risk-based approach to PHI protection. This means:

• Data Inventory: You must know exactly where PHI lives within your systems, who accesses it, and how it moves both internally and externally. Maintaining an up-to-date data inventory is crucial for compliance and for incident response.
• Minimum Necessary Standard: HIPAA enforces a strict “minimum necessary” rule. Only the least amount of PHI needed for a specific task or function should be used, accessed, or disclosed.
• De-identification and Pseudonymization: HIPAA encourages the use of de-identification techniques to remove identifiers from PHI when possible, reducing regulatory burden and breach risk. Methods include “Safe Harbor” (removing 18 specific identifiers) and “Expert Determination.” Pseudonymization, while helpful, does not fully exempt data from HIPAA if re-identification is possible.
• Lawful Basis: Uses and disclosures of PHI must have a lawful basis under HIPAA—such as treatment, payment, or healthcare operations. Uses outside these require explicit patient consent or another legal justification.

HIPAA’s approach to PHI is far more granular and demanding than regulations for general PII, such as GDPR or CCPA. While those laws focus on consent and transparency, HIPAA mandates operational controls, limits on use, and technical safeguards tailored to the healthcare context. Any organization subject to HIPAA must build robust compliance programs around these requirements to avoid severe penalties and protect patient trust.

Various Laws for PII

When it comes to protecting personally identifiable information (PII), organizations must navigate a complex landscape of privacy laws. These regulations vary by country and industry, but each sets clear expectations around how PII is collected, used, disclosed, and safeguarded. Understanding which laws apply to your data is crucial for maintaining compliance and building trust with your customers or patients.

Let’s look at some of the most influential laws that govern PII:

• HIPAA (Health Insurance Portability and Accountability Act): While HIPAA mainly addresses protected health information (PHI), it also covers PII when that information relates to health status, care, or payment. HIPAA requires covered entities and business associates to implement safeguards, follow the principle of minimum necessary, and ensure proper de-identification or pseudonymization of data when appropriate.
• GDPR (General Data Protection Regulation): The GDPR is a comprehensive data privacy law in the European Union. It defines personal data (comparable to PII) and introduces strict requirements around data processing. Organizations must maintain a detailed data inventory, establish a lawful basis for processing, and respect data minimization principles. GDPR also gives individuals rights such as access, correction, and erasure.
• CCPA (California Consumer Privacy Act): The CCPA enhances privacy rights and consumer protection for California residents. It defines personal information broadly and requires businesses to disclose data collection practices, allow consumers to opt out of data sales, and delete personal information upon request. Like GDPR, CCPA emphasizes transparency and user control over identifiers.
• NIST Privacy Framework: While not a law, the National Institute of Standards and Technology (NIST) sets standards that help organizations manage PII risks. The framework covers de-identification, pseudonymization, and risk assessments, helping organizations align with best practices regardless of industry.
• Other State and International Laws: Many U.S. states, such as New York and Virginia, have their own privacy laws. Internationally, laws like Canada’s PIPEDA and Brazil’s LGPD mirror GDPR principles, requiring careful data inventory, legal justification, and respect for the minimum necessary use of PII.

What does this mean in practice? If you handle PII, you need to know which laws affect your business. This includes documenting your data inventory, clarifying your lawful basis for collecting and processing information, and ensuring you only use the minimum necessary identifiers needed for your purpose. De-identification and pseudonymization techniques are increasingly required to limit risk and comply with these laws.

By understanding and aligning with these legal requirements, we not only avoid costly penalties but also strengthen our reputation by putting privacy and security first. Staying informed and proactive is the best way to navigate the evolving world of data privacy.

Examples of PII That Is NOT PHI

Not all personally identifiable information (PII) is considered protected health information (PHI), and recognizing these differences matters for your compliance strategy. When we talk about PII that is NOT PHI, we’re focusing on data that can identify an individual—but isn’t connected to their health status, healthcare services, or medical payments. This distinction is critical under regulations like HIPAA, GDPR, and CCPA, because the rules and obligations for handling each type of information can differ significantly.

Let’s look at some common examples of PII that fall outside the scope of PHI:

• Full Name: Your name alone, without any reference to health data, is PII. For example, a customer list at a retail store is PII, but not PHI.
• Home Address: Street addresses used for shipping products or billing purposes are PII. Unless tied to medical records or healthcare, these do not qualify as PHI.
• Email Address: An email address collected for a newsletter or account signup is PII. Only if that email is linked to medical care does it become PHI.
• Social Security Number (SSN): SSNs are classic PII identifiers and are highly sensitive. An employer payroll system holding SSNs is responsible for PII—not PHI—unless combined with health data.
• Phone Number: Contact numbers for general business communications are PII, unless they are part of a healthcare context.
• Driver’s License or Passport Number: These government-issued identifiers are PII when used for identification or travel, not for healthcare.
• Online Identifiers: Things like IP addresses, login usernames, or device IDs collected for website analytics or account management are PII unless included in a patient record.
• Employment or Education Information: Job titles, company affiliations, and school records are all forms of PII when they are not connected to an individual’s health information.

Why is this distinction important? If your organization keeps a data inventory, it’s crucial to accurately classify PII versus PHI. This allows you to apply the right de-identification, pseudonymization, and access controls, and to respect the minimum necessary principle under HIPAA or the lawful basis requirements of GDPR and CCPA. Handling PII correctly helps protect privacy, reduces regulatory risk, and builds trust with those whose data you manage.

In summary, PII is broad and applies across all industries, while PHI is a specific subset of PII linked to health information and regulated with more stringent controls. When in doubt, always ask yourself: “Is this information related to health care or medical payments?” If not, you’re likely dealing with PII—not PHI.

Context is Crucial for Classification

Context is Crucial for Classification

When it comes to distinguishing between PHI vs PII, context isn’t just helpful—it’s absolutely essential. The very same piece of information, such as a name or an email address, can be classified as personally identifiable information (PII) in one scenario and as protected health information (PHI) in another. What determines the classification is the environment, the source, and how the data is being used or disclosed.

Identifiers—like names, addresses, or phone numbers—are only considered PHI when they’re connected to health-related information and managed by a covered entity or business associate under HIPAA. If those identifiers exist outside of a healthcare context, they are typically regulated as PII under laws like GDPR or CCPA. For example, an email address in a hospital’s patient portal is PHI, but the same email used to register for a retail website is just PII.

• Healthcare context: If the data is created, received, stored, or transmitted in the provision of healthcare services and contains identifiers, it becomes PHI and falls under HIPAA.
• Commercial context: The same identifiers without any health data are considered PII, guided by privacy regulations like GDPR or CCPA.

We can’t emphasize enough how much data inventory and regular audits matter here. Understanding the flow of information across your systems helps ensure you know not only what data you collect, but also under what circumstances it shifts from being PII to PHI. This is especially important for organizations that operate in multiple sectors or jurisdictions.

Regulatory frameworks also affect classification. For instance, GDPR and CCPA apply rigorous standards to all PII, while HIPAA focuses specifically on PHI. These regulations may differ in their requirements for lawful basis for processing, user rights, and breach notification.

When dealing with sensitive data, practices such as de-identification and pseudonymization can further shift how information is classified and regulated. Data that’s properly de-identified no longer counts as PII or PHI under most laws. However, the standards for de-identification and the minimum necessary use of data differ across regulations, so understanding the legal context is just as important as the technical processes.

In summary, the classification of data as PHI or PII depends on context, purpose, and regulation. By being meticulous with how we categorize and manage identifiers, and by maintaining an updated data inventory, we can ensure that we meet all compliance obligations and protect individuals’ privacy effectively.

Why the Distinction Matters for Compliance

The distinction between PHI vs PII carries significant weight in the realm of compliance because different laws, risk levels, and safeguards apply depending on the type of information you handle. Failing to classify data correctly can lead to costly fines, loss of customer trust, and even legal consequences.

Here's why getting it right matters:

• Different Legal Obligations: PHI is specifically protected under HIPAA, which imposes stringent requirements on how healthcare data is transmitted, stored, and accessed. On the other hand, PII is regulated by broader privacy laws like GDPR and CCPA, each with their own definitions, scope, and requirements. Knowing whether you’re handling PHI or PII determines which legal frameworks apply to you.
• Varying Identifiers and Examples: PHI is tied to health-related identifiers, while PII covers a broader set of identifiers like names, addresses, and digital fingerprints. Misclassifying an identifier could mean overlooking necessary protections or misapplying controls, putting your organization at risk.
• De-identification and Pseudonymization Strategies: De-identifying PHI under HIPAA demands removing or coding all 18 specific identifiers. GDPR, which covers PII, stresses pseudonymization to reduce risk. If you don’t know which type of data you’re handling, you could miss critical steps in data minimization or fail to achieve true compliance.
• Data Inventory and Tracking: Conducting a thorough data inventory is foundational to compliance. You must know whether your systems store PHI, PII, or both, since this affects your risk assessments, breach response plans, and vendor management processes.
• Lawful Basis and Minimum Necessary: Under GDPR, processing PII requires a lawful basis, like consent or contractual necessity. HIPAA’s Minimum Necessary Standard compels organizations to limit PHI access and disclosure to only what’s needed for a specific task. Mixing up these standards can cause over-collection, unauthorized use, or improper data sharing.

In short, recognizing the differences between PHI and PII empowers your organization to implement the right technical and organizational controls, document compliance for audits, and demonstrate your commitment to privacy. By getting these classifications right, we not only protect individuals but also build a solid foundation for trust and long-term success.

Security Requirements: Often Stricter for PHI

Security Requirements: Often Stricter for PHI

When we talk about PHI vs PII, one of the most important differences is the level of security required to protect each type of information. PHI—because it relates directly to health status, care, or payment for healthcare and is tightly regulated by laws like HIPAA—demands a higher bar for security controls compared to general personally identifiable information (PII).

PHI is subject to rigorous safeguards under HIPAA, and often, these requirements exceed those applied to PII under general data privacy laws such as GDPR and CCPA. Here’s what makes PHI protections notably stricter:

• Administrative safeguards: Organizations must create clear policies and procedures for handling PHI, train staff regularly, conduct risk assessments, and designate a privacy officer. These protocols are all designed to prevent unauthorized access or disclosure of PHI.
• Technical safeguards: HIPAA requires robust technical measures such as encryption, unique user authentication, automatic log-off, and audit controls to track access to PHI. These technical requirements are often more specific and demanding than those for general PII.
• Physical safeguards: PHI must be protected against physical threats—think secure offices, access controls, and locked storage for both paper and electronic records. Devices and workstations accessing PHI must be secured to prevent theft or unauthorized use.
• Minimum necessary standard: Under HIPAA, organizations must limit PHI use and disclosure to the minimum necessary to accomplish the intended purpose. This principle is stricter and more clearly defined than the general data minimization rules found in GDPR or CCPA for PII.
• Data inventory and access tracking: Maintaining a detailed data inventory for PHI is essential. Every access or change to PHI should be tracked, and unauthorized access must be reported—immediately. For PII, access logging is good practice, but not always mandatory.

Another area where PHI security is more demanding is the process of de-identification and pseudonymization. HIPAA’s de-identification standards are precise, often requiring removal of 18 specific identifiers. In contrast, GDPR allows pseudonymization as a protective step for PII, but it does not always require the same exhaustive process as HIPAA for PHI.

In addition, the concept of lawful basis is stricter for PHI. HIPAA only permits use and disclosure under specific circumstances (such as treatment, payment, or healthcare operations), with any other use requiring individual authorization. GDPR and CCPA also require lawful basis for PII processing, but HIPAA’s permitted uses are especially narrow and well-defined.

To sum up: Handling PHI means adhering to a much higher standard of security and privacy than PII. If your data contains health-related information tied to individual identifiers, you must always default to HIPAA-level protections—no shortcuts allowed. Investing in robust security, clear policies, and ongoing training isn’t just about compliance—it’s about building trust and protecting the people behind the data.

Examples Illustrating the Difference

Examples Illustrating the Difference

Let’s bring the PHI vs PII conversation to life with practical examples. These real-world scenarios will show how personally identifiable information and protected health information can overlap, diverge, and be subject to different rules depending on context and use. We’ll also spotlight how regulatory frameworks like HIPAA, GDPR, and CCPA treat various identifiers, and why understanding the distinction is crucial for your data inventory and compliance efforts.

• A Patient Name and Email Address Alone:
  • If you have just a name and email address (e.g., Jane.Doe@email.com), this is considered PII under GDPR or CCPA because it can be used to identify or contact someone, but it isn’t PHI unless it's linked to health data or a healthcare context.
• Medical Record Number with Diagnosis:
  • A medical record number attached to a diagnosis, treatment plan, or payment details is PHI. Here, the information not only identifies the individual but also relates to their health status. HIPAA applies, and the minimum necessary standard must be followed when sharing or using this data.
• Employee Social Security Number (SSN):
  • An employee’s SSN in a payroll system is PII, since it’s used for identification and is protected under CCPA and GDPR. It’s not PHI unless it appears in a medical context—such as connected to health insurance records.
• IP Address on a Healthcare Website:
  • If an IP address is collected by a hospital’s patient portal and can be tied to a patient’s identity or health information, it could be PHI under HIPAA. On other sites, it may be PII per GDPR or CCPA, but not PHI.
• De-identified Data:
  • Suppose a hospital removes all HIPAA identifiers (such as names, dates, and medical record numbers) from a dataset. This is de-identification, and the resulting data is neither PHI nor PII, provided it can't reasonably be re-identified. Similarly, pseudonymization under GDPR (replacing identifiers with codes) can reduce risk, but data may still be considered personal if re-identification is possible.
• Health App User Data:
  • If you use a fitness tracker that collects your name, email, and activity levels, this is PII under GDPR/CCPA. If the app partners with a healthcare provider and shares your step count for medical purposes, that information could become PHI, subject to HIPAA’s stricter requirements and the minimum necessary use principle.

In summary, the distinction between PHI vs PII hinges on both the type of identifiers involved and the context in which data is collected, used, or shared. Building a thorough data inventory, understanding your lawful basis for processing, and adopting de-identification or pseudonymization where appropriate will help ensure compliance with HIPAA, GDPR, and CCPA.

Grasping the distinction between PHI vs PII is more than just a technical requirement—it's the foundation for safeguarding privacy and building trust. By understanding how personally identifiable information and protected health information differ, we’re better equipped to handle sensitive data responsibly and comply with major regulations like HIPAA, GDPR, and CCPA.

Each type of information comes with its own set of identifiers and legal expectations. PHI is tightly regulated within healthcare under HIPAA, while PII applies more broadly across industries and is protected by laws such as GDPR and CCPA. Knowing these differences helps us apply the right controls—like de-identification and pseudonymization—to reduce risks and protect individuals.

Maintaining a clear data inventory, identifying a lawful basis for processing, and always applying the minimum necessary standard are essential practices. These steps not only keep us compliant but also demonstrate our commitment to respecting personal privacy. In a landscape where data breaches can have far-reaching consequences, being proactive is not just smart—it’s necessary.

At the end of the day, understanding and applying the distinctions between PHI and PII empowers us to protect what matters most: the people behind the data.

FAQs

Is all PHI also PII?

No, not all PHI is also PII, but all PHI contains elements of PII. PHI, or Protected Health Information, specifically refers to health-related information that can identify an individual and is created or used in the course of healthcare services. PII, or Personally Identifiable Information, is a broader term that includes any data that can identify a person, such as names, addresses, or identification numbers, regardless of the context.

PHI is a subset of PII with a healthcare focus. Under HIPAA, PHI includes both health details and personal identifiers, like name or date of birth, linked to medical care. This means every piece of PHI is inherently PII because it can identify someone. However, PII does not always include medical or health-related details—think of a simple email address or phone number.

Regulations like HIPAA, GDPR, and CCPA require organizations to distinguish between these categories in their data inventory, apply the minimum necessary principle, and ensure a lawful basis for processing or sharing such data. Understanding the distinction helps us apply appropriate de-identification or pseudonymization techniques to protect privacy and maintain compliance.

When does PII become PHI?

PII (Personally Identifiable Information) becomes PHI (Protected Health Information) when it is linked to health-related data and is created, received, maintained, or transmitted by a HIPAA-covered entity or its business associate in the context of healthcare services. For example, a person’s name or email address is considered PII on its own, but if it appears alongside medical diagnoses, treatment records, or payment details for healthcare, it is classified as PHI under HIPAA regulations.

The key difference between PHI and PII lies in the context and content. While PII identifies an individual (like name, address, or Social Security number), PHI specifically relates to health information combined with these identifiers. HIPAA sets strict requirements for handling PHI, including following the minimum necessary standard, maintaining a comprehensive data inventory, and ensuring de-identification or pseudonymization when possible.

If you’re managing data under both HIPAA and privacy laws like GDPR or CCPA, understanding this distinction is critical. It helps you determine your lawful basis for data processing and implement appropriate safeguards. Always remember: when in doubt, treat any identifier combined with health information as PHI and apply the most stringent protection measures.

How do de-identification standards differ?

De-identification standards differ significantly depending on the type of data and the regulations that apply to it. For PHI (Protected Health Information) under HIPAA, de-identification requires removing or coding all 18 specific identifiers, such as names, dates, and contact information, making it impossible to link the data back to an individual without additional information. HIPAA also allows for an expert determination method, where a qualified expert certifies that the risk of re-identification is very small.

PII (Personally Identifiable Information) under laws like the GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) follows different standards. The GDPR emphasizes pseudonymization—replacing identifiers with artificial tags—while still recognizing that re-identification might be possible if additional data is available. CCPA, meanwhile, focuses on “de-identified” data that cannot reasonably be linked to a particular consumer, but the definition is less prescriptive than HIPAA’s.

Ultimately, the key differences come down to the specifics of what must be removed or altered, the type of identifiers involved, and how de-identified data is handled in a data inventory. For example, HIPAA’s approach is more rigid and detailed, while GDPR and CCPA allow for some flexibility but demand ongoing risk assessments. All frameworks emphasize the importance of using only the minimum necessary information and having a lawful basis for any processing—even after de-identification.

Which law applies if we hold both PHI and PII?

If your organization holds both PHI (Protected Health Information) and PII (Personally Identifiable Information), you will need to comply with all relevant laws that apply to each type of data. PHI is specifically regulated by HIPAA in the United States, which sets strict standards for protecting health-related identifiers. On the other hand, PII may fall under broader privacy laws like the GDPR (for individuals in the EU) or the CCPA (for California residents), which cover a wide range of personal information beyond health data.

It's important to note that these regulations can overlap. For example, if you process health data of EU residents, both HIPAA and GDPR might apply. In these cases, you must determine a valid lawful basis for processing data, ensure minimum necessary handling, and document your practices in a comprehensive data inventory. Techniques such as de-identification and pseudonymization can help reduce risk, but do not necessarily exempt you from compliance.

In summary, you must comply with every law that covers the information you hold—there is no “one-size-fits-all” rule. Always review your data practices against HIPAA, GDPR, CCPA, and any other applicable regulations to avoid gaps in compliance.