PII, or personally identifiable information, is sensitive data used to identify, contact, or locate specific people. Healthcare organizations should implement HIPAA PII privacy and security measures to protect the privacy and security of PII. HIPAA PII security helps to foster HIPAA PHI (protected health information) security.
What Kinds of Information Constitute HIPAA PII?
Personally identifiable information is data relating directly or indirectly to an individual, from which the identity of the individual can be determined. Examples of PII include patient names, addresses, phone numbers, Social Security numbers, and bank account numbers. PII can also constitute information such as IP addresses, device IDs, and GPS location data.
PII is linked to specific individuals through direct and indirect identifiers. Direct identifiers are those identifiers that enable the identification of an individual without additional information. Examples of direct identifiers include:
In contrast, indirect identifiers enable the identification of individuals only when combined with other information. Examples of indirect identifiers include street address without a city, the last four digits of a Social Security number, or birth dates.
What Laws Regulate PII?
PII is regulated through a series of federal and state laws. Examples of laws that regulate how PII is collected, used, processed, and disclosed, include:
- The Federal Trade Commission Act (FTC Act). This law prohibits unfair or deceptive trade practices involving the collection, use, processing, and disclosure of PII.
- The Gramm-Leach-Bliley Act, or GLBA. This law regulates financial institutions’ collection, use, processing, and disclosure of PII.
- The Telephone Consumer Protection Act, which regulates telemarketing activities.
- The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act), which regulates commercial emails marketing.
- The Children’s Online Privacy Protection Act, which applies to the online collection of information from children under the age of 13.
- The Fair Credit Reporting Act, which applies to consumer credit.
- The Electronic Communications Privacy Act (ECPA), and the Computer Fraud and Abuse Act (CFAA), both of which regulate electronic communications and unauthorized computer use.
What is the Difference Between HIPAA PII and HIPAA PHI?
PHI, or protected health information, is a subset of PII. Information may constitute PII and not constitute PHI. Under HIPAA, protected health information is considered to be individually identifiable information relating to the past, present, or future health status of an individual, that is created, collected, or transmitted, or maintained by a HIPAA covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations.
Personally or individually identifiable information, by itself, is not PHI. To constitute PHI, and thereby be subject to regulation by HIPAA, PII must relate to health status. It must be created, collected, transmitted, or maintained by a covered entity with respect to provision of healthcare, payment of healthcare, or use in healthcare operations activities.
How Do I Keep PII Secure?
Organizations can place PII into categories (i.e., low harm, significant harm) based upon how much harm a breach in each category can cause. The National Institute of Standards and Technology recommends organizations consider the following factors when determining what category to put a given piece of PII into:
- Identifiability: Is it easy to uniquely identify the individual using the PII?
- Quantity of PII: How many identities could be compromised by a breach? For example, a clinic would likely have more PII at risk if it shared a database with allied clinics than if it maintained a separate database.
- Quantity of Harm: How much harm could the data cause, if breached? A phone number is less sensitive than a credit card or Social Security number, for example. However, if a breach of the phone number would most likely also compromise name, SSN, or other personal data, that phone number should be considered sensitive, resulting in significant harm.
- Context of Use: Does the way the information is used affect its impact? Think of a hospital that has an opt-in newsletter to patients, doctors, organizations, and other community members. A list of newsletter subscribers would contain the PII of some patients, but that info would be less sensitive than the same PII in patient medical records; only the latter actually indicates patient status.
- Access to and Location of PII: The personally identifiable information HIPAA governs is often stored, transported, and processed by third party IT services, accessed offsite by medical professionals who aren’t employees of the organization and processed by a variety of business associates. This creates risks that wouldn’t be present, for example, if the PII were locked in a vault, and could only be accessed by one doctor.
What Are PII Security Best Practices?
Best PII Security Practices include:
- Purging unnecessary PII from records.
- De-identifying (anonymizing) data and feedback so that it cannot identify.
- Implement access control measures. Access control is another valuable PII security best practice. Sensitive information should only be accessible by people who need it to do their jobs.
- Encrypt all sensitive information.