PII vs PHI Explained: Real-World Scenarios to Make the Difference Clear

This guide clarifies where Personally Identifiable Information (PII) ends and Protected Health Information (PHI) begins. You’ll see clear definitions, the rules that govern each, real incidents that show the difference, and practical steps to handle both correctly.

Definition of Personally Identifiable Information

PII is any data that can identify, contact, or precisely locate a person—on its own or when combined with other data. What counts as PII can vary by law and context, but the concept is consistent: if a data point can single someone out, it is PII.

Common types of PII

• Direct identifiers: full name, Social Security number, driver’s license or passport number, full postal address, personal email, phone number, biometrics.
• Indirect (quasi-) identifiers: date of birth, ZIP code, employer, IP address, device or advertising IDs, when these can be linked back to the person.
• Sensitive PII: government IDs, financial account numbers with credentials, precise geolocation, biometric templates, and authentication data.

Context matters. A hashed email, persistent cookie, or IP address may be PII if it is reasonably linkable to an individual. Under GDPR Requirements, “personal data” is broad and includes any identifier or profile that can single out a person.

Definition of Protected Health Information

PHI is a subset of personal information: it is individually identifiable health information created, received, maintained, or transmitted by a HIPAA-covered entity (like a health plan, provider, or clearinghouse) or its business associate. Electronic PHI (ePHI) is simply PHI in digital form.

What qualifies as PHI

• Clinical details: diagnoses, lab results, treatment plans, medication lists, imaging.
• Administrative and billing data: claim numbers, subscriber IDs, encounter numbers, prior authorizations.
• Metadata tied to a person’s health: appointment times, device serial numbers, portal usernames when linked to medical records.

The same data point can be PHI in one context and not in another. A heart rate collected by a hospital portal is PHI; the same metric from a standalone fitness app (with no covered entity involved) is not PHI under HIPAA, though it is still PII and may be regulated by other privacy laws.

De-identification under HIPAA

Data ceases to be PHI when properly de-identified: either by removing specified identifiers (safe harbor) or through expert determination that the risk of re-identification is very small. De-identified data can be used more freely, but re-identification is prohibited.

Regulatory Frameworks for PII

Unlike PHI, PII is governed by a patchwork of laws that vary by jurisdiction and sector. You should map where you operate and which data you collect to determine the full set of obligations.

United States: consumer privacy and breach rules

• CCPA Regulations (as amended by CPRA) give California residents rights to know, delete, and correct personal information, and to opt out of the sale or sharing of data. The law also introduces “sensitive personal information” and imposes purpose limitation and data minimization expectations.
• All U.S. states have Data Breach Notification laws that require timely notice to affected individuals and, in many cases, regulators. Some states set specific deadlines; others require notice “without unreasonable delay.”
• Sectoral laws may also apply, such as GLBA (financial), FERPA (education), and COPPA (children’s data).

International: GDPR Requirements

• Process data only with a lawful basis (e.g., consent, contract, legitimate interests) and document it.
• Honor data subject rights: access, correction, deletion, portability, objection, and restriction.
• Apply data minimization, purpose limitation, storage limitation, and security by design/default.
• Conduct DPIAs for high-risk processing and manage cross-border transfers lawfully.

Regulatory Frameworks for PHI

PHI is primarily regulated by HIPAA in the United States, with additional state health privacy laws and certain federal rules for sensitive records. If you handle PHI, HIPAA Compliance is mandatory for covered entities and business associates.

HIPAA’s core rules

• Privacy Rule: governs permissible uses and disclosures of PHI and the “minimum necessary” standard.
• Security Rule: requires administrative, physical, and technical safeguards for ePHI, including risk analysis, access controls, audit logs, integrity controls, and transmission security.
• Breach Notification Rule: requires notifying affected individuals and regulators without unreasonable delay and no later than 60 days after discovery; larger incidents have additional reporting obligations.

Other considerations

• Business Associate Agreements (BAAs) must define permitted PHI uses, safeguards, and breach duties.
• Certain data, like substance use disorder records, may be subject to stricter federal or state rules.
• If you process EU patient data, GDPR treats health data as a “special category,” adding heightened requirements alongside HIPAA.

Real-World Examples of PII Breaches

Misconfigured cloud storage at a recruiting firm

A public bucket exposed resumes and identity scans, including names, addresses, and SSNs. The firm had to issue Data Breach Notifications across multiple states, offer credit monitoring, and implement rigorous access policies and encryption for stored files.

Credential stuffing at a travel platform

Attackers reused leaked passwords to access loyalty accounts, revealing contact details, itineraries, and partial payment info. The company enforced multi-factor authentication, added bot defenses, and accelerated password reset workflows to protect PII at scale.

Email compromise in retail marketing

A phishing attack let criminals download a CRM list with names, emails, and phone numbers. Beyond notifying customers, the retailer hardened SPF/DKIM/DMARC, rolled out security awareness training, and segmented marketing systems to limit future exposure.

Real-World Examples of PHI Breaches

Ransomware at a hospital network

Malware encrypted scheduling and EHR systems, exposing appointment data, clinical notes, and subscriber IDs. The provider activated downtime procedures, coordinated HIPAA Breach Notification within the 60-day window, and invested in immutable backups and network segmentation.

Third-party billing vendor compromise

A vulnerability in a file transfer tool used by a revenue cycle partner enabled exfiltration of claims files. PHI for multiple client hospitals was impacted, triggering BAAs’ incident clauses, coordinated notices, and a comprehensive vendor security reassessment.

Stolen unencrypted laptop

An employee’s car was broken into, and a device holding local ePHI extracts was taken. The organization notified patients, paid penalties, and moved to full-disk encryption with remote wipe, strict device management, and a “no local data” policy.

Handling and Protection Requirements for PII and PHI

1) Inventory, classify, and minimize

• Map data flows: what you collect, where it lives, who accesses it, and why.
• Classify by sensitivity (public, internal, confidential, restricted) and minimize collection to what is necessary.
• Adopt retention schedules and automate deletion to reduce breach impact.

2) Apply strong Data Encryption Standards

• Encrypt data in transit with modern TLS and at rest with robust algorithms (e.g., AES‑256).
• Use sound key management (segregated keys, rotation, hardware-backed storage where feasible).
• Tokenize or pseudonymize identifiers so production systems and analytics use reduced-risk data.

3) Enforce identity and access controls

• Least-privilege and role-based access; just-in-time elevated access for administrators.
• Multi-factor authentication everywhere, especially for remote and privileged access.
• Network segmentation, EDR, and continuous monitoring to limit blast radius.

4) Build privacy and security into processes

• For PII: align with CCPA Regulations and other state laws on notice, opt-outs, and consumer rights.
• For PHI: satisfy HIPAA Compliance via documented policies, BAAs, workforce training, and periodic risk analyses.
• Conduct DPIAs or risk assessments for high-impact initiatives and new vendors.

5) Prepare for incidents and Data Breach Notification

• Maintain an incident response plan with runbooks, on-call roles, and decision criteria.
• Track deadlines: GDPR supervisory authority notice within 72 hours where required; HIPAA individual notice no later than 60 days; state laws vary but often expect prompt notice.
• Practice tabletop exercises and rehearse regulator and customer communications.

6) Quick decision guide: is it PII or PHI?

• Is the data health-related and created/used by a covered entity or its business associate for care, payment, or operations? If yes, it is PHI.
• If not, but the data can identify a person (alone or combined), treat it as PII under applicable privacy laws.
• When in doubt, classify higher and apply stricter controls until confirmed otherwise.

Conclusion

PII identifies people; PHI is health information tied to people within the HIPAA ecosystem. The distinction hinges on both the data and the context. By classifying data correctly, meeting the right regulatory duties, encrypting and limiting access, and preparing for incidents, you reduce risk and build trust.

FAQs

What is the difference between PII and PHI?

PII is any information that identifies a person, like names, emails, or IDs. PHI is a subset of personal information specifically about health status, care, or payment that is created or used by HIPAA-covered entities or their business associates. The same data can be PHI in a medical context and only PII elsewhere.

How do regulatory requirements differ for PII and PHI?

PII is governed by general privacy laws such as GDPR Requirements and CCPA Regulations, plus state breach laws and sectoral rules. PHI is regulated by HIPAA’s Privacy, Security, and Breach Notification Rules, with BAAs, minimum necessary standards, and healthcare-specific safeguards.

What are common examples of PII and PHI breaches?

PII breaches often involve misconfigured cloud storage, credential stuffing against consumer accounts, or email compromise exposing contact details and IDs. PHI breaches commonly stem from ransomware in hospitals, third-party billing vendor compromises, or lost unencrypted devices containing ePHI.

How should organizations handle the protection of PII and PHI?

Start with data mapping and minimization, then apply strong Data Encryption Standards, access controls, and ongoing monitoring. For PII, align notices and consumer rights with applicable laws; for PHI, ensure HIPAA Compliance with BAAs, workforce training, and documented risk analyses. Prepare for swift, accurate Data Breach Notification across all regimes.