PHI vs. PII: What’s the Difference?

We live in a world of acronyms and abbreviations where things need to happen ASAP before they are FUBAR’d. Regarding privacy and data security, two common abbreviations are PII and PHI. What are the similarities and differences between these two?

PHI vs. PII Examples

According to the National Institute of Standards and Technology (NIST), PII (Personally Identifiable Information) is defined as “any information about an individual maintained by an agency, including: 

(1) any information that can be used to distinguish or trace an individual‘s identity, such as name, Social Security number, date and place of birth, mother‘s maiden name, or biometric records; and 

(2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

PHI (Protected Health Information) is a subset of PII. When PII is generated as part of a healthcare-related operation (treatment, testing, payment, insurance filing, etc.) covered by the rules and regulations of the Health Insurance Portability and Accountability Act (HIPAA), it is considered to be PHI.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

HIPAA designates 18 specific kinds of information as PHI: 

  1. Name
  2. Address (including subdivisions smaller than states, such as a street address, city, county, or zip code)
  3. Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate/license number
  12. Vehicle identifiers, serial numbers, or license plate numbers
  13. Device identifiers or serial numbers
  14. Web URLs
  15. IP address
  16. Biometric identifiers such as fingerprints or voiceprints
  17. Full-face photos
  18. Any other unique identifying numbers, characteristics, or codes

The critical difference between PII and PHI is context. A person’s address in a bank record might be considered PII, but the same address in a medical file would be PHI.

PHI vs. PII: Compliance

HIPAA’s rules and regulations establish standards for the proper use and sharing of PHI and empower patients to decide how or if their PHI is shared. HIPAA compliance means organizations that create or hold PHI must follow the HIPAA Privacy Rule and the HIPAA Security Rule. The HIPAA Breach Notification Rule requires PHI breaches to be reported based on the size of the breach.

Many states also regulate PHI and PII through data breach notification and privacy laws. California today has some of the most stringent regulations in this arena. Federal lawmakers have been discussing some type of national privacy law that will protect PII, but no agreement has been reached.

If you need help mastering PHI and achieving HIPAA Compliance, let Compliancy Group show you how simple it can be.

Modernize Your Compliance

Say goodbye to spreadsheets and hello to automated software!