PHI vs PII: Know What Health Data You Can Collect
Two privacy terms every healthcare marketer should know
There are numerous acronyms used in healthcare, and two that are often misused and confused are PHI and PII. Both are related to privacy but have distinct meanings and cover different types of information. Healthcare organizations must understand how they differ, as failing to do so can lead to costly penalties and compliance issues.
We’ll cover the key questions: What is PHI? What is PII? And why the distinction matters to organizations providing healthcare services.
What is PHI?
PHI refers to Protected Health Information. The U.S.The Department of Health and Human Services (HHS) explains it as “PHI (Protected Health Information) is 'individually identifiable health information' held or transmitted by a HIPAA covered entity or its business associate, in any form or medium (electronic, paper, or oral)”. To put it more simply, it’s any health-related information that can be used to identify a specific patient.
To clarify, covered entities include:
Health plans.
Health care clearinghouse.
Health care providers who transmit health information electronically in connection with standard transactions (e.g., billing).
Business associates, on the other hand, are any organization that handles PHI on behalf of a covered entity, such as:
IT consultants
Cloud storage providers
Telehealth support vendors, like OpenLoop.
Pro tip: Before sharing any PHI, covered entities must have a written BAA with vendors that create, receive, maintain, or transmit PHI on their behalf (45 C.F.R. §164.502(e)).
What counts as PHI?
The Health Insurance Portability and Accountability Act (HIPAA) lists 18 specific identifiers that become PHI when they’re tied to someone’s health data. This protection exists because health information is sensitive, and its unauthorized release can put individuals in a vulnerable position.
Those 18 identifiers include:
Name
Addresses (including street, city, county, zip code)
Web URLs
Fax numbers
Email addresses
Account numbers
Telephone numbers
Medical record numbers
Social Security numbers
Certificate or license numbers
Internet Protocol (IP) addresses
Health plan beneficiary numbers
Device identifiers and serial numbers
Full-face photographs and comparable images.
Biometric identifiers (fingerprints, voiceprints)
Vehicle identifiers and serial numbers, including license plates
All dates except year (birth dates, admission dates, discharge dates, etc.)
Any other unique identifying number, characteristic, or code
All ages over 89 and any elements of dates (including year) indicative of such age
As you might’ve quickly realized, these identifiers appear throughout various healthcare operations, from electronic patient medical records and lab result printouts to verbal conversations between healthcare professionals. However, the key is managing this information appropriately and consistent with applicable law.
What PHI data can you collect?
Healthcare organizations can and do collect all 18 of the identifiers we mentioned earlier. Yet, here’s what’s essential:
Purpose limitation: PHI should only be collected when it’s necessary for treatment, payment, or healthcare operations.
Minimum necessary standard: Limit uses, disclosures, and requests for PHI to the minimum needed except for disclosures to or by a health care provider for treatment and other specific exceptions in the Privacy Rule.
Note: If data is properly de-identified under HIPAA, it isn’t PHI; if it’s a limited data set, it remains PHI and needs a Data Use Agreement.
What is PII?
PII (personally identifiable information) is “any data that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information.” (NIST SP 800-122). Under GDPR, organizations need a lawful basis (e.g., contract, legal obligation, vital interests, public task, legitimate interests, or consent) for processing personal data. Consent is not always required.
What counts as PII?
PII includes information such as:
Names
Email addresses
Phone numbers
Home addresses
Passport numbers
Date and place of birth
Mother’s maiden name
Employment information
Social Security numbers
Driver’s license numbers
Bank account numbers
Credit card numbers
Biometric data (fingerprints, facial recognition)
What PII data can you collect?
Companies can collect PII when they have a legitimate business purpose and, in many cases, user consent. Yet, unlike PHI, which is primarily governed by HIPAA, PII data collection is regulated by various laws, depending on one’s location and industry.
For example, here are two location-based regulations:
California Consumer Privacy Act (CCPA). California Consumer Privacy Act (CCPA), as amended by the CPRA (effective Jan. 1, 2023), grants rights such as access, deletion, correction, and limitations on use of sensitive personal information.
General Data Protection Regulation (GDPR). Regulates how companies collect, store, use, and share personal data of European Union residents.
Additionally, outside of healthcare (HIPAA), another industry-specific example of PII is the Family Educational Rights and Privacy Act (FERPA). With this, schools must protect student education records and obtain consent before disclosing PII.
Overall, the key principles companies should follow when collecting data include:
Consent: Organizations should obtain explicit consent when required by applicable laws and regulations.
Security: Companies should implement appropriate safeguards to protect the data they collect and process.
Transparency: Businesses are expected to inform users of what data they collect and why through their privacy policies.
Data minimization: They should only collect the minimum amount of PII necessary for their stated purpose.
Understanding their key differences: PII vs. PHI
At this point, you have a good idea of what data PII and PHI protect, but their differences can still be confusing. So, if you find yourself still a little unsure, consider this high-level overview:
Scope: PHI is always health-related and governed by HIPAA, while PII is broader and applies across all industries.
Regulation: PHI is primarily regulated by HIPAA, while PII falls under various laws depending on location and industry.
Who protects the data: Only HIPAA-covered entities and their business associates are required to protect PHI. However, all organizations should protect PII as best practice.
How they intersect: All PHI is PII, but not all PII is PHI. For instance, your email address is PII, but it only becomes PHI when it’s linked to your health information.
Protect patient data while delivering quality, virtual care
With healthcare being catapulted into the digital landscape, it’s crucial for organizations to understand the difference between PII and PHI.
OpenLoop provides a white-label digital health infrastructure platform designed to support HIPAA compliance and secure virtual care delivery. By integrating with our clinical and PC networks, expert protocols and pharmacy partners, OpenLoop takes on most of the compliance risk—leaving you room to focus on your business and patients.
Interested in learning what OpenLoop can do for you? Contact our sales team!
*This content is intended for general informational purposes only and should not be construed as legal advice. For guidance on your specific situation, please consult a licensed attorney.