For most healthcare organizations, defensive patient privacy is the most important aspect of HIPAA compliance—and the most difficult. HIPAA uses the term Endangered Health Information (PHI) to refer to protected data PHI vs. PII. Still, the concept is very similar to the term Personally Recognizable Information (PII), which is used in other obedience regimes. They understand how PII and PHI overlay can help organizations unify obedience efforts across regimes, dipping the risk, cost, and complexity of keeping data secure.

PII Definition and Examples (PHI vs. PII)

PII Definition and Examples (PHI vs. PII)

As the name implies, personally identifiable info, PHI vs. PII, refers to any data that can classify an individual. Specific information such as full name, date of birth, address, and biometric data should always be carefully PII. Other data, such as first name, initial and last name, or even tallness or weight, may only count as PII under certain circumstances or when combined with other information PHI vs. PII.

For example, a record that referenced “Mr. Smith in New York” would likely not contain enough information to provide the subject’s identity PHI vs. PII. However, if the patient had a less common name and lived in a small town, it would likely count as PII since it would be easy to infer who the subject was.

PHI Definition and Examples

Endangered health information, PHI, includes anything used in a medical context that can identify patients PHI vs. PII. Although it does not address personally identifiable info, the HIPAA Security Rule regulates states like this under the term Endangered Health Information (PHI). Some examples of PHI data may include:

  • Name
  • ADDRESS
  • Date of Birth
  • Credit Card Number
  • Driver’s License
  • Medical Records

PHI is topic to strict confidentiality and disclosure requirements that do not apply to most other types of data in the United States. In other words, protecting PHI is always a legal requirement, but protecting PII is only required in some cases.

Developing a Unified Compliance Approach

The United States is noted for not having a single privacy and data protection standard or government entity PHI vs. PII. Instead, American businesses face industry-specific laws, along with municipal, state, and international compliance regulations.

While this allows many industries to use consumer data more broadly, it also creates serious compliance risks PHI vs. PII. For example, because California has stricter PII laws than other states, a business that legally tracks Nevada users when they visit its website could be in breach of compliance if a Californian logs in.

While PHI requirements are strict, a HIPAA obedience checklist won’t necessarily address PCI, EU data defense laws like GDPR, and other regulations PHI vs. PII. Rather than developing separate programs for each regime, organizations should tool PII security best practices across the board and then iterate to comply with the remaining regime-specific rules.

What is Protected Health Information (PHI vs. PII)

What is Protected Health Information (PHI vs. PII)

Protected health info, or PHI, is any health information that includes any of the 18 items identified by HIPAA and is maintained by a covered entity or any information that could reasonably be used to identify an individual.

PHI is info created or received by a healthcare provider related to:

  • The past, current, or upcoming physical or mental health or disorder of a patient;
  • The provision of medical care to a person, either
  • Or past, present, or future payment for the delivery of health care to an individual up to fifty (50) years after the date of the individual’s death.

What is Personally Identifiable Information (PHI vs. PII)

Personal Identifiable Info (PII) is defined as data used in research that is not careful PHI and, therefore, not subject to HIPAA privacy and security rules. The critical distinction between PII and PHI is that PHI is related to or derived from a healthcare service occasion, i.e., the provision of care or sum for care. PII may be derived directly from the member (survey, interview) and is enclosed by other state and federal laws concerning the privacy and confidentiality of research health information.

Waiver of HIPAA Authorization

Some studies may meet the criteria to waive HIPAA approval or to modify approval requirements. The required HIPAA waiver/modification criteria, referred to in HRP-441 – HIPAA CHECKLIST – Waiver Approval, are:

(A) The use or disclosure of protected health info involves no more than a minimal risk to the privacy of individuals, based, at a minimum, on the presence of the following elements:

  • an passable plan to protect identifiers from improper use and disclosure;
  • an adequate plan to destroy the identifiers as quickly as possible, consistent with the conduct of the investigation, unless there is a health or research justification for withholding the identifiers or such retention is required by law; and
  • adequate written pledges that the protected health info will not be reused or revealed to any other person or entity, but as required by law, for authorized oversight of the research project or for other research for which this subpart shall permit the use or disclosure of protected health information;

(B) The research could not be conducted practically without the exemption or alteration and

(C) Research could not be conducted virtually without access to and use of protected health information.

Note: There is no difference between the criteria for a full HIPAA waiver or an altered HIPAA approval under 45 CFR 164.512(i)(2)(ii).

PII and PHI Security Across Industries

PII and PHI Security Across Industries

Good security starts with identifying personally identifiable information across the organization, whether in medical databases, email, backups, or in a partner’s IT environment PHI vs. PII. Personally identifiable information must be classified based on the harm a breach could cause, a measure known as the confidentiality impact level described in the NIST SP 800-122 standard. NIST recommends considering the following factors:

Identifiable: Is it easy to uniquely identify specific individuals using personally identifiable information?

  • Amount of personally identifiable information: How many identities can be compromised by a breach? The way the data is organized is a factor. For example, a medical clinic will likely have more personally identifiable information at risk if it shares a database with allied clinics than if it maintains a separate database. Similarly, if an organization stores personally identifiable information during the onboarding of new employees, a larger-scale company will likely have a more significant amount of personally identifiable employee information to protect.
  • Sensitivity of the data field: How much damage could the data cause if leaked? A phone number is less subtle than a credit card or social security number, for example. However, if a phone number leak is likely to compromise names, social security numbers, or other personal data, that phone number should be considered sensitive. Schools charged with personally identifiable student information data, such as IEPs and medical records, must also consider the influence of a breach on student privacy and security.
  • Context of use: Does the way the info is used affect its impact? For example, imagine if your hospital had an opt-in option to receive a newsletter aimed at patients, physicians, organizations, and other community members. A list of newsletter subscribers will contain personally identifiable information from some patients. Still, that information will be less confidential than the same personally identifiable information in patients’ medical records because it will not necessarily indicate the patient’s status.
  • Confidentiality Protection Obligations: What information do you need to protect below HIPAA, HITECH, PCI, and other obedience regimes? This is clearly a key consideration for healthcare governments, but it can also be vital for fintech and insurance companies.
  • Access and Location of Personally Identifiable Information: HIPAA-regulated personally identifiable information is stored, transported, and processed by third-party IT services, accessed by off-site medical professionals who are not employees of the organization and whom It is processed to a variety of business partners. This creates risks that would not exist, for example, if personally identifiable information was stored in a vault and could only be accessed by a physician PHI vs. PII.

HIPAA Business Associates

HIPAA goes beyond best practices for the security of personally identifiable information in its requirements for partner organizations. Under the HIPAA Privacy Rule, healthcare providers have significant legal liability for breaches caused by business associates.

Cloud services, contractors, medical claims processors, and most other organizations that use store, or process protected health information (PHI) are considered business associates. You’ll need to sign Business Association Agreements (BAAs) with each of these organizations, which outline:

  • Appropriate Use of PHI
  • Safeguards to prevent non-compliance
  • Steps to Remedy Violations and Violations
  • Violation notification procedures

Your organization should carefully evaluate business partners to ensure they are truly able to hold up their end of the bargain. Governments should have clearly documented data security policies and practices before signing a BAA and should voluntarily undergo periodic audits to ensure compliance.

HIPAA Notices and Notifications

HIPAA also has strict requirements for how medical information can be used and disclosed, and it requires that a notice of privacy practices be provided to the patient. The privacy notice should cover a variety of information, including:

  • How the organization may use and disclose patient information
  • Patient rights
  • The organization’s duty to protect information and other legal obligations
  • Who should the patient contact for more information?

HIPAA also has exact rules for breach notification. Under HIPAA compliance, organizations must notify anyone whose data has been cooperated within 60 days of the breach. It is essential to ensure that your partners use encryption. Encrypted data is exempt from breach announcement unless the key is also exposed. In many cases, this can mean the difference between a risky situation and a costly infringement notice.

Following PII security best does helps organizations err on the side of caution. HIPAA isn’t a set of arcane, arbitrary rules that make your life difficult; it is a valuable framework for ensuring a high level of care and confidentiality for your patients. A best-practices approach to PII simplifies regulatory compliance by rotating it into a single set of rules that can be used across the organization. This makes it easy to protect patients and ensures that confidential information is not lost.