In the world of data privacy and security, two acronyms come up constantly: PII (Personally Identifiable Information) and PHI (Protected Health Information). While related, they refer to different categories of sensitive data — each governed by distinct regulations and requiring specific protection measures.
Misclassifying data can lead to compliance violations, hefty fines, and damaged customer trust. Whether you're a startup founder, IT professional, or compliance officer, understanding these distinctions is fundamental to building a robust data protection strategy.
PII = Any data that can identify an individual (name, email, SSN). PHI = PII + health information held by HIPAA-covered entities. All PHI is PII, but not all PII is PHI.
What is PII?
Personally Identifiable Information (PII) is any data that can be used — alone or combined with other information — to identify, contact, or locate a specific individual.
The US National Institute of Standards and Technology (NIST) defines PII as information that can be linked to a specific person through "direct" or "indirect" identification.
Types of PII
Direct Identifiers (Sensitive PII)
- Full name
- Social Security Number (SSN)
- Driver's license number
- Passport number
- Financial account numbers
- Biometric data (fingerprints, facial recognition, DNA)
- Credit card numbers
Indirect Identifiers (Non-Sensitive PII)
- ZIP code
- Date of birth
- Gender
- Race
- Job title
- Place of employment
- Education level
Studies show that 87% of US population can be uniquely identified using just ZIP code + birth date + gender. Indirect identifiers combined become sensitive PII.
What is PHI?
Protected Health Information (PHI) is a specific subset of PII that includes any individually identifiable health information created, received, maintained, or transmitted by a HIPAA-covered entity or business associate.
The key distinction: PHI relates to a person's past, present, or future physical or mental health, healthcare services received, or payment for healthcare services.
What Qualifies as PHI?
PHI includes health information combined with any of the 18 HIPAA identifiers:
- Names
- Geographic data (smaller than state)
- Dates (birth, admission, discharge, death)
- Phone/fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers, license numbers
- Vehicle identifiers, device serial numbers
- Web URLs, IP addresses
- Biometric identifiers
- Full-face photos
- Any other unique identifying characteristic
PII & PHI by the Numbers
PII vs PHI: Key Differences
| Aspect | PII | PHI |
|---|---|---|
| Scope | Any identifying personal data | Health-related PII only |
| Regulatory Body | FTC, State AGs, GDPR, CCPA | HHS Office for Civil Rights |
| Primary Law | GDPR, CCPA, State laws | HIPAA + HITECH Act |
| Covered Entities | Any organization | Healthcare providers, plans, clearinghouses |
| Penalties | Varies by jurisdiction | Up to $1.9M/year per category |
| Breach Notification | Varies by state/law | 60 days (HIPAA mandate) |
Real-World Examples
PII Only (Not PHI)
- Customer name + email on an e-commerce site
- Employee SSN in HR database
- Bank account number on a financial statement
- Driver's license number at a hotel check-in
PHI (Always Also PII)
- Patient name + diagnosis in EHR system
- Insurance claim with medical billing codes
- Lab results sent to a doctor
- Prescription record with patient identifier
- Mental health therapy notes
Ask yourself: "Is this health information held by a HIPAA-covered entity or business associate?" If YES → it's PHI. If NO → it's likely PII subject to other privacy laws.
When PHI Becomes Just PII
Health information loses its PHI status (and HIPAA protection) when:
- De-identified: Stripped of all 18 HIPAA identifiers (Safe Harbor method)
- Not held by covered entity: e.g., your Fitbit data is health info but not PHI
- Held by non-HIPAA entity: Health apps, wellness programs outside healthcare context
- Employment records: Even with health info, employment records aren't PHI
- Educational records: Health info in school records is FERPA, not HIPAA
Protection Strategies
For PII
- Implement data classification policies
- Use encryption (at-rest and in-transit)
- Apply access controls based on need-to-know
- Maintain audit logs of who accessed what
- Provide privacy notices to data subjects
- Honor data subject rights (access, deletion, correction)
For PHI (Additional Requirements)
- Conduct annual HIPAA risk assessments
- Execute Business Associate Agreements (BAAs)
- Implement technical safeguards (access controls, audit logs, encryption)
- Maintain physical safeguards for ePHI storage
- Provide HIPAA training to all workforce members
- Have breach notification procedures ready
Need Help with Data Classification?
Our experts can help you classify, inventory, and protect PII and PHI across your organization to meet all regulatory requirements.
Get Data Classification AuditOther Important Data Classifications
Beyond PII and PHI, you should be aware of:
- NPI (Non-Public Information): Financial data under GLBA
- CUI (Controlled Unclassified Information): Government-related data
- PCI Data: Payment card information under PCI-DSS
- FERPA Records: Student education records
- Trade Secrets: Confidential business information
Best Practices for Data Classification
Step 1: Data Discovery
Inventory all data your organization collects, processes, and stores. Use automated discovery tools for accuracy.
Step 2: Classification Framework
Create tiers like Public, Internal, Confidential, Restricted — and map data types to each tier.
Step 3: Labeling
Apply visible labels to documents, emails, and systems indicating sensitivity level.
Step 4: Handling Procedures
Define how each classification tier must be stored, transmitted, shared, and destroyed.
Step 5: Training
Train all employees to recognize and properly handle different data classifications.
Conclusion
Understanding the difference between PII and PHI is the foundation of effective data privacy compliance. PII casts a wide net covering any identifying information, while PHI is the specialized subset governed by HIPAA in healthcare contexts.
The most important takeaway: classify your data accurately, apply the appropriate regulatory framework, and implement robust protection measures. When in doubt, treat data as more sensitive rather than less — the cost of over-protection is far less than the cost of a breach.