PHI vs. PII: What’s the Difference?
PHI vs. PII Examples
According to the National Institute of Standards and Technology (NIST), PII (Personally Identifiable Information) is defined as “any information about an individual maintained by an agency, including:
(1) any information that can be used to distinguish or trace an individual‘s identity, such as name, Social Security number, date and place of birth, mother‘s maiden name, or biometric records; and
(2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
PHI (Protected Health Information) is a subset of PII. When PII is generated as part of a healthcare-related operation (treatment, testing, payment, insurance filing, etc.) covered by the rules and regulations of the Health Insurance Portability and Accountability Act (HIPAA), it is considered to be PHI.
HIPAA designates 18 specific kinds of information as PHI:
- Address (including subdivisions smaller than states, such as a street address, city, county, or zip code)
- Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, or license plate numbers
- Device identifiers or serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voiceprints
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes
The critical difference between PII and PHI is context. A person’s address in a bank record might be considered PII, but the same address in a medical file would be PHI.
PHI vs. PII: Compliance
HIPAA’s rules and regulations establish standards for the proper use and sharing of PHI and empower patients to decide how or if their PHI is shared. HIPAA compliance means organizations that create or hold PHI must follow the HIPAA Privacy Rule and the HIPAA Security Rule. The HIPAA Breach Notification Rule requires PHI breaches to be reported based on the size of the breach.
Many states also regulate PHI and PII through data breach notification and privacy laws. California today has some of the most stringent regulations in this arena. Federal lawmakers have been discussing some type of national privacy law that will protect PII, but no agreement has been reached.
If you need help mastering PHI and achieving HIPAA Compliance, let Compliancy Group show you how simple it can be.