What is PHI and PII? A Guide For Protecting Sensitive Personal Information

Working With Documents Containing PII and PHI

For most businesses, collecting and managing personal information is just part of the job. Customers often share their details and do so for a variety of reasons, trusting that this information will be kept private and managed responsibly.

Yet, the rules around classifying this data can be complex, and it’s not always clear what type of information you have on hand. Knowing whether data falls under PHI or PII helps you manage it correctly and in line with regulatory requirements that protect your customers’ privacy.

In this guide, we’ll explain how and when information is classified as either PHI or PII, how each type of data is regulated, and the steps you can take to keep it secure. Understanding these classifications will help you handle sensitive information responsibly and stay compliant with data privacy laws and regulations.

What is PHI (Protected Health Information)?

Protected Health Information (PHI) is any information that pertains to person’s health, including healthcare services they’ve received, medical diagnosis, and healthcare related payments. This type of information is usually gathered and managed by healthcare providers, insurance companies, and others in the healthcare industry, but it can be found in other circumstances as well. Details like lab results and prescriptions also fall under PHI since they’re tied to someone’s health history.

What is PII (Personally Identifiable Information)?

Personally Identifiable Information, or PII, is any data that can be used to identify, find, or contact a person. PII can be as simple as a name or address or as sensitive as a Social Security number. While there are numerous privacy laws in place that regulate how PII should be handled, the rules can vary depending on the type of information and the industry.

How to Tell PHI from PII

While both PHI and PII are considered sensitive personal information, the main difference comes down to what the information is about. Here’s an easy way to think about it:

  • If it’s health-related, it’s probably PHI. Medical records, test results, and billing information all count as PHI because they contain someone’s health details.
  • If it identifies someone but isn’t about their health, it’s usually PII. Names, addresses, and Social Security numbers fall under PII since they identify a person but don’t reveal anything about their health.

Using this basic rule can help you know how to handle each type of data securely and within the guidelines.

Regulations That Protect PHI and PII

Several regulations are in place to protect PHI and PII, each designed to keep sensitive information private. Below are two of the most common laws associated with safeguarding personal information.

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA is the main regulation for handling Protected Health Information (PHI). It applies to healthcare providers, health plans, and any businesses they work with that have access to health data. HIPAA requires organizations to set up safeguards to keep PHI safe, including physical, technical, and administrative measures. The goal is to ensure that only authorized people have access to sensitive health information and that this information remains private and secure.

The Privacy Act

The Privacy Act focuses on the protection of Personally Identifiable Information (PII) held by government agencies. This regulation requires federal agencies to limit the collection and sharing of PII to what’s necessary for their purposes and to maintain clear records about how this data is handled. While this Act specifically applies to federal agencies, many businesses use it as a standard for good practices when managing personal information.

State-Level Privacy Laws

On top of federal laws, many states have created their own regulations to protect personal data. For example, California’s Consumer Privacy Act (CCPA) sets strict rules around how businesses collect, store, and share PII. Other states are following suit, with laws designed to give individuals more control over their personal information and require businesses to take extra steps to keep data secure. Currently, there are 20 states that have comprehensive data privacy laws in place.

Examples of PHI and PII

Common PHI Examples

  • Medical records and patient charts
  • Billing information
  • Health insurance policy numbers
  • Test results and diagnoses
  • Prescriptions

Common PII Examples

  • Full name
  • Social security number
  • Passport number
  • Driver’s license number
  • Email address and phone number

Best Practices for Protecting PHI and PII

Implement a Strong Data Security Policy

Develop and enforce a data security policy that includes guidelines for data collection, storage, and sharing. Ensure that employees are trained on the policy and understand their responsibilities.

Encrypt Data

Use encryption for both storing and transmitting PHI and PII to to prevent unauthorized access to sensitive data. This includes encrypting data at rest and in transit.

Apply Access Controls

Implement access controls to limit access to PHI and PII. Grant access only on a need-to-know basis and regularly review and update access permissions.

Perform Regular Risk Assessments

Conduct periodic risk assessments to identify potential vulnerabilities and threats to PHI and PII. Implement appropriate measures to address the identified risks and ensure ongoing compliance with relevant regulations.

Maintain Audit Trails

Establish comprehensive audit trails for all activities involving PHI and PII. This includes tracking data access, modifications, and deletions. Regularly review audit logs to detect and investigate any suspicious activities and to ensure a secure chain of custody is maintained.

Implement a Data Breach Response Plan

Develop a well-defined data breach response plan that outlines the steps to be taken in the event of a security incident. This plan should include procedures for detecting, containing, and mitigating breaches, as well as notifying affected individuals and relevant authorities.

A Note About Digitizing Your Records

Securely digitizing your records with a HIPAA compliant document scanning service makes it incredibly easy implement most these PII and PHI best practices.

That’s because electronic records can be protected with passwords and multi-factor authentication, as well as encrypted to protect data from unauthorized access.

Speaking of access, establishing an audit trail when working with digital files is a breeze. You can record every access to a particular document and store that information digitally. Plus, working digitally enables backups and recovery, ensuring data safety in case of disasters.

Managing Data Breaches

Detect and Contain the Breach

Upon detecting a data breach, take immediate action to contain the incident and prevent further unauthorized access or data loss. This may involve disconnecting affected systems, revoking access credentials, or implementing additional security measures.

Assess the Impact

Determine the scope and severity of the breach, including the types of PHI and PII affected and the number of individuals impacted. Evaluate the potential risks and consequences associated with the breach, such as identity theft, financial loss, or damage to reputation.

Notify Affected Parties and Authorities

Depending on the jurisdiction and the severity of the breach, notify affected individuals and relevant regulatory authorities in a timely manner. Provide clear and accurate information about the breach, including steps taken to address the issue and recommended actions for affected individuals.

Review and Improve Security Measures

Conduct a thorough post-incident analysis to identify the root cause of the breach and implement appropriate measures to prevent similar incidents in the future. This may involve updating security policies, enhancing access controls, or providing additional employee training.

What Comes Next?

Understanding the differences between PHI and PII is crucial for any organization that handles sensitive personal data. By implementing the proper data security practices and adhering to relevant regulations, organizations can effectively safeguard PHI and PII, minimize the risk of data breaches, and maintain trust with their clients and customers.

Read More

It can be difficult to keep track of all the records generated during the hiring process. Its even more challenging when these records are a mix of paper and digital communications. Taking your HR department paperless is one of the most effective ways to simplify onboarding and streamline the management of records created in the process.

Read Article

In this article, we’ll explore the benefits of digitization for small cities and towns, the types of records that can be digitized, and the best approaches to get started. Whether you’re tackling a growing stack of paper or seeking ways to improve efficiency, government records scanning services make the process of going paperless easier and more affordable.

Read Article

Utility companies face unique challenges when it comes to records management. From engineering plans and site maps to service reports and regulatory documents, the variety and volume of records they need to keep track of is staggering. These records play an important role in keeping services running smoothly, ensuring regulatory compliance, and maintaining transparency with

Read Article