PHI vs. PII: What’s the difference?

Your organization’s customers or patients expect you to do everything possible to protect their personal information. You and your employees need to know the best practices to follow to secure a wide range of data types that may be used to identify and potentially harm your customers.

Here’s an overview of personally identifiable information (PII) and protected health information (PHI) and why taking steps to secure this data is so important for your business and the people it works with.

Personally identifiable information, or PII, consists of types of information that can be used for identification.

Many data types classified as PII can identify an individual on their own, while others can only do so when combined with at least one other piece of information.

The types of PII that provide sensitive information about an individual require careful protection. Some other types are not considered sensitive because they are publically available and relatively easy to find.

Sensitive PII

Sensitive PII can cause significant harm to an individual or business if it falls into the wrong hands. This means it must be carefully protected to reduce the likelihood of data breaches, phishing scams, or other cyber attacks.

The individual the information is affiliated with and the institution that manages it should generally be the only parties with ongoing access. These parties should be extremely careful about who they give the information to and where they enter it. There’s a risk that the person requesting the PII doesn’t have a legitimate reason to access it and is not who they say they are.

Here are some common types of sensitive PII:

• Bank account, credit card, or other financial information

• Passport or driver’s license information

• Social security number

• Mailing address (if different from publicly available information)

• Medical records (PHI is considered a subset of PII, meaning information that makes up PHI is also categorized as PII)

Non-sensitive PII

Non-sensitive PII is generally available to the public and quite easy to find online or in a phone book. It can’t typically be protected in the same way as sensitive PII. As such, it should be kept confidential.

This type of information is typically less damaging to the individual it describes than most types of sensitive PII. It usually describes more than one person—in which case, it can’t be used on its own to identify someone. This means that non-sensitive PII can be useful for verifying that an individual is who they say they are before granting access to sensitive PII. However, it’s important to remember that this type of information is available to the public.

The below are examples of non-sensitive PII:

• Date of birth

• Place of birth

• Zip code

• Race

• Gender

• Religion 

Protected health information, or PHI, is a specific type of personally identifiable information. It involves data about a person’s previous medical treatment, condition, and other medical records.

PHI includes information protected by the Health Insurance Portability and Accountability Act (HIPAA), which is designed to protect patient privacy. It limits access to an individual’s medical information so that it’s only accessible to people with a valid reason or the individual’s consent.

Here are some of the most common types of PHI:

• Any type of private medical information

• Fingerprints, voiceprints, facial recognition, or other biometric identifying information

• Biological specimens

• Non-anonymous data that identifies participants in medical trials

Because health information is extremely personal, covered entities (healthcare providers, health plans, healthcare clearinghouses, and some of their business associates covered by HIPAA) need to be aware of and adhere to current confidentiality guidelines.

PHI is a specific type of PII. It’s more heavily regulated than most other types of PII, and protecting it is generally more important.

While PII refers to any information that can identify an individual, PHI is health-related information protected by HIPAA.

The patients or customers your organization works with expect you to do everything possible to keep their personal information secure. Failing to do so may significantly reduce their trust in your organization.

A data breach or other severe failure to secure PII, PHI, or other personal information may cause your company to lose many patients or customers at once. In the most extreme circumstances, this may impact your ability to stay in business.

Your organization may also receive significant fines of up to $5,000 per incident or other penalties, including imprisonment, if you fail to take steps to protect this information.

To promote the highest possible level of compliance, ensure everyone in your organization is on the same page. This involves creating a company culture that emphasizes awareness. Team members need to know which type of information they access, why they should keep it secure, and how.

You need to make sure that everyone has the information and knowledge needed to make informed decisions and take responsibility for playing their role in protecting your business and the people it supports.

Below are some of the most important steps your organization can take to safeguard PII and PHI:

Ensure your devices adhere to cybersecurity guidelines

Making sure your company’s devices are properly protected is key to preventing potential hackers from accessing PHI or PII on your network or programs.

Any company-owned computers, tablets, and cell phones should have reputable antivirus software installed to reduce the likelihood of successful cyber attacks. Your organization should encourage team members to install antivirus software on their personal devices if they use them for work.

Here are some other best practices that can help you ensure that your devices can protect sensitive information:

• Installing a strong firewall and domain name system (DNS) filtering

• Using screen locks with strong passwords

• Updating devices regularly to ensure they have the most recent security upgrades

• Automatically filtering emails and text messages that are likely to contain phishing or other types of spam

Follow the rule of least privilege

Not everyone in your organization needs to access the same amount of confidential information. Preventing unnecessary access can significantly reduce the risk of data breaches or other problems caused by human error.

To reduce the likelihood of data breaches, determine the specific types of information team members need to access to do their jobs and take steps to ensure they can only access critical information.

Team members who regularly work with certain types of information are more likely to understand why it needs protection and make more effort. In contrast, team members who access information they don’t really need may forget that it needs protecting.

Adhere to standard security policies

Most data breaches are caused by human error. Having clear policies for properly using and securing PII and PHI, and ensuring your team members know what they are expected to do and what will happen if they don’t, is a strong approach to protecting information.

Create procedures that clearly convey what your employees should do in specific situations to help them better understand their role in protecting confidential information. This will also demonstrate why protecting PII is so important for everyone your organization works with.

Encrypt data

Human error or the failure of cybersecurity programs may occur regardless of how well you attempt to protect your devices, programs, and network.

This is why encryption is so important. Encrypting your data can make it unusable in the wrong hands.

In addition to this, a VPN or similar tool can serve as a final barrier that prevents hackers from accessing personal information even if they gain access to your network or company devices.

There are 18 specific types of PHI that must be protected, although some documents contain several of these identifiers. These identifiers include the following:

1. Patient names

2. Geographic elements

3. Dates related to an individual’s health or identity

4. Phone numbers

5. Fax numbers

6. Email addresses

7. Social security numbers

8. Medical record numbers

9. Health insurance beneficiary numbers

10. Account numbers

11. Certificate or license numbers

12. Vehicle identifiers

13. Device attributes or serial numbers

14. Digital identifiers, such as website URLs

15. IP addresses

16. Biometric elements, such as finger, retinal, and voiceprints

17. Photos of a patient’s face

18. Other identifying numbers or codes

Social security numbers are considered PII because they are assigned to a specific individual and could cause significant damage when used by someone who is pretending to be that person.

PHI is a specific type of personally identifiable information that is related to a patient’s health.

PII is a much broader concept that includes all types of information that can be used to identify an individual.

PCI, or payment card industry, refers to certain types of confidential financial information.