Getty Images/iStockphoto
Key Differences Between PHI and PII, How They Impact HIPAA Compliance
Covered entities must understand the differences between PII and PHI to maintain HIPAA compliance and protect patient data.
Personally identifiable information (PII) and protected health information (PHI) may seem similar on the surface, but key distinctions set them apart. While PII is a catch-all term for any information that can be traced to an individual’s identity, PHI applies specifically to HIPAA covered entities that possess identifiable health information.
Using the terms interchangeably fails to recognize the intricacies of each and can lead to compliance issues for healthcare organizations.
HealthITSecurity takes a deep dive into what differentiates PHI from PII, the key identifiers that transform ordinary health information into PHI under HIPAA, and how organizations can enact safeguards to protect PHI from bad actors and ensure compliance.
PII Versus PHI
Personally identifiable information encompasses any information that can be directly or indirectly linked to an individual’s identity, according to the National Institute of Standards and Technology (NIST).
PII includes, but is not limited to, Social Security numbers, passport numbers, driver’s license numbers, addresses, email addresses, photos, biometric data, or any other information that can be traced to one individual. Medical, educational, financial, and employment information all fall under PII.
“An organization cannot properly protect PII it does not know about,” NIST notes. For that reason, understanding the scope of PII and how to protect it is a cornerstone to sufficient data privacy.
Protected health information is a subset of PII, but it specifically refers to health information shared with HIPAA covered entities. Medical records, lab reports, and hospital bills are PHI, along with any information relating to an individual’s past, present, or future physical or mental health.
“The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information,” the HHS website states.
“At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.”
Covered entities are specified in the HIPAA Privacy Rule as health plans, healthcare clearinghouses, and healthcare providers. If a covered entity chooses to work with a business associate that might handle PHI, the entity must have a written business associate agreement (BAA) requiring the associate to comply with HIPAA standards.
The HIPAA Privacy Rule defines 18 identifiers that make health information PHI under HIPAA:
- Names
- All geographic subdivisions smaller than a state (street address, city, county, zip code)
- Dates, including birthdate, admission date, discharge date, and date of death
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers; including fingerprints and voice
- Full face photos
- Any other unique identifying number, characteristic, or codes
To detangle PHI from its HIPAA protections for research purposes, organizations can de-identify health data by removing all 18 elements of PHI. Once the data is guaranteed to be impossible to trace back to one individual, it is no longer PHI and no longer has protection under HIPAA.
The designation of PHI aims to protect patient privacy while allowing providers to facilitate care coordination. Rather than serving as a barrier to care or preventing information sharing altogether, the HIPAA Privacy Rule simply ensures that PHI is shared only with patient permission or for care coordination purposes between covered entities.
Identifiable health information is not considered PHI unless that organization is a HIPAA covered entity. Additionally, not all health information obtained by covered entities is considered PHI.
“A health plan report that only noted the average age of health plan members was 45 years would not be PHI because that information, although developed by aggregating information from individual plan member records, does not identify any individual plan members and there is no reasonable basis to believe that it could be used to identify an individual,” HHS explains.
Residential addresses and phone numbers alone are not PHI, but if those data points were paired with a health condition, treatment plan, or any other specific health information, it would transform from PII to PHI.
Rules and regulations surrounding PII and PHI
In the case of PHI, HIPAA covered entities that face a data breach are legally required to notify HHS and state agencies within 60 days of breach. If the breach impacts more than 500 residents of a state, organizations are also required to notify major local media outlets in the form of a press release.
In addition, covered entities must send a written notice in the mail to all impacted individuals and post a notice on the home page of its website for at least 90 days. Specific requirements vary by state.
PHI breaches are strictly regulated by the HIPAA Security Rule, which “establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.”
The rule also requires healthcare organizations to implement data security safeguards to ensure data confidentiality.
To help organizations manage and protect PII appropriately, NIST created the “PII confidentiality impact level” standard, which allows entities to categorize PII into low, moderate, or high risk levels. The levels are determined by evaluating the potential harm that could be inflicted on individuals and the organization if the PII were to end up in the wrong hands.
Organizations must consider how many individuals may be impacted if a breach occurs, how easy it would be to link the PII to a specific individual, where the data is located, and who has access to it.
PII that is at a high impact level for some may be at a low impact level for others. Each organization will have different needs depending on the types of PII they are storing and how it is organized.
For example, Social Security numbers are more sensitive than phone numbers, so they may be categorized at a high confidentiality impact level. In addition, a breach involving the information of 20 people will likely be less impactful than one involving 200,000 people, which may change how organizations stratify risk.
When a PII breach occurs, businesses are required to report the incident. But data breach notification laws vary state-by-state, and some experts argue that businesses receive too much leniency when it comes to notifying the public and the government.
In June, US lawmakers introduced legislation that would require businesses to notify the government within 24 hours of a data breach. Currently, many states do not have strict deadlines for when businesses have to report a breach to the government.
Safeguarding your organization’s data
Patients trust their healthcare providers to protect them by delivering life-saving surgeries, preventive care, and emergency services. But providers and health plans have an obligation under HIPAA to protect their patients’ sensitive data as well.
Over 500 healthcare providers fell victim to ransomware attacks in 2020. Ransomware attacks and data breaches that result from unauthorized access and poor cyber hygiene are extremely costly and can be damaging to a healthcare provider’s reputation. In addition, data breaches put patients at risk of identity theft and financial fraud.
To protect PHI, covered entities must enact administrative, physical, and technical safeguards. Administrative safeguards involve managing workforce conduct in relation to PHI and maintaining policies and procedures to maintain proper data security.
The rule also requires organizations to maintain physical safeguards by employing defenses against natural disasters and unauthorized access to PHI through physical measures, policies, and procedures.
Enacting technical safeguards requires entities to implement strong cybersecurity protocols and control digital access. NIST recommends installing antivirus software, keeping computers patched, and prohibiting the use of personal devices on an organization’s network.
It is equally critical to educate employees on common phishing tactics and cyber hygiene practices to avoid compromising the network.
The processes of protecting PII and PHI are largely the same. Keeping systems up to date and employing strict cybersecurity standards is crucial no matter what type of sensitive information an organization may have. However, the aftermath of a data breach containing PHI may look slightly different. HIPAA covered entities have a particular obligation to protect PHI, and patient safety is at stake.
Understanding the difference between PII and PHI is an essential step to guaranteeing data security and maintaining HIPAA compliance. Healthcare organizations that can recognize the complexities of the two may be able to save money, time, and headaches, while shielding patients from harm.