PHI vs PII: What is the Difference in Healthcare?
Any analysis of PHI vs PII has to take into account there are multiple definitions of Personally Identifiable Information (PII) depending on the context of the definition and the source of the definition. For this reason, this analysis of PHI vs PII focuses on the difference between the two acronyms in the healthcare industry only.
It is no exaggeration to state there are multiple definitions of PII depending on the context and the source of the definition. For example, the Department of Energy’s Office of Management has published four definitions of PII, NIST’s Computer Security Resource Center has published a further three definitions of PII, and HHS’ National Institutes of Health has adapted one of the three NIST definitions to distinguish between direct and indirect PII.
In addition to direct PII and indirect PII, it is also possible to have sensitive PII and non-sensitive PII. Non-sensitive PII is sometimes referred to as public PII or quasi-PII because it can be obtained from public sources. Incredibly, this variety of PII definitions and subsets comes from only regulatory sources. Commercial sources – and indeed individuals – may have their own definitions of PII to suit compliance requirements or personal convictions.
In PHI vs PII Analyses, PHI is Much Simpler to Define
The acronym PHI is much simpler to define and use in a PHI vs PII analysis because it is rarely used outside the healthcare and health insurance industries. In these industries, the most common use of the acronym PHI is Protected Health Information – a phrase utilized by the HIPAA Administrative Simplification Regulations to identify any information subject to the privacy protections and patients’ rights provisions of the HIPAA Privacy Rule.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The reason “any information” is emphasized in the above paragraph is because PHI is (loosely) defined by the HIPAA General Rules (§160.103) to mean individually identifiable health information created, received, maintained, or transmitted by a covered entity, that relates to an individual’s past, present, or future physical or mental health or condition, the provision of healthcare to the individual, or the past, present, or future payment for healthcare.
However, while information relating to an individual’s health condition, treatment for the health condition, or payment for the treatment automatically qualifies as PHI, any other personally identifiable information maintained in the same designated record set as PHI assumes the same privacy protections as PHI. Individuals also have the right to inspect and request amendments to PII maintained in the same designated record set as PHI.
PII vs PHI for Covered Healthcare Providers
One of the best ways to explain the difference between PII vs PHI for covered healthcare providers is to give an example of a previously unregistered patient attending an ER. During the registration process, an Electric Health Record (EHR) is created for the patient in which the patient’s name and other PII (address, phone number, etc.) are recorded, along with their health condition and insurance information.
Because the patient’s name and other PII are recorded alongside their health condition and insurance information – and because all the information is maintained in the same designated record set (in this case the EHR) – all the recorded information is PHI or assumes PHI status. The size of the designated record set increases as tests are performed, diagnoses are made, and treatments prescribed.
While the patient is being examined, their spouse phones the ER to ask about the patient’s condition. Because of hospital policies, the spouse can only be given “directory information” until such time as the patient consents for further information to be disclosed. The spouse’s name and telephone number is written down – but not added to the EHR – until consent is received from the patient.
For the period of time that the spouse’s name and telephone number is written down but not added to the EHR, the record of the name and telephone number is PII because, as an individual record, it does not relate to the patient’s condition, treatment, or payment. As soon as the patient consents to PHI being disclosed and confirms the spouse will be involved in their post-ER recovery, the name and telephone number is added to the EHR and assumes the same status as other PHI maintained in the EHR.
Examples of When PII Does Not Assume Protected Status
In the above example, a record that originated as PII became PHI when it assumed protected status. This can also happen in reverse if PII is extracted from a designated record set for a purpose that does not involve uses of PHI. Or it can be the case PII is created, received, maintained, or transmitted by a HIPAA covered entity for a purpose not associated with an individual’s health, treatment, or payment. Examples include:
- When individuals consent to be on a hospital’s marketing database.
- When appoint reminders are sent that do not disclose PHI.
- When contact information only is required to organize transport.
- When a hospital compiles a database of attendees for a conference.
- When a hospice creates a list of benefactors for tax purposes.
In all the above examples, PII does not assume protected status, uses or disclosures of the information are not governed by the HIPAA Privacy Rule, and – if the information is created, received, maintained, or transmitted electronically – it is not subject to the standards of the HIPAA Security Rule. However, it may be the case that state privacy laws apply; and, in all cases, state breach notification laws will apply.
Why Have Different Degrees of Protection in Healthcare?
The discussion about PHI vs PII in healthcare could be ended abruptly by giving all PII protected status. However, HIPAA does not permit this. Under §164.514 of the Privacy Rule, a covered entity must limit access to PHI to members of the workforce who require access to carry out their duties. The Security Rule (§164.308) restricts access to electronic PHI to members of the workforce who meet the access requirements of the Privacy Rule.
The reason for these restrictions is to minimize the potential for authorized access to, and impermissible disclosures of, PHI. There is often no need for a member of the workforce involved in marketing, administration, transportation, or event organization to have access to individuals’ full health, treatment, and payment records, so HIPAA requires members of the workforce to have the lowest necessary PHI access rights – if at all.
One benefit of having different degrees of protection in healthcare is that it helps resolve the discussion about PHI vs PII. Any information relating to an individual’s health, treatment or payment – and any identifying information maintained in the same designated record set – is PHI. Any other identifying information maintained by a covered healthcare provider is PII – whether direct, indirect, sensitive, non-sensitive, public, or quasi.
Covered healthcare providers who require further information about PHI vs PII in healthcare, who need help with meeting the HIPAA compliance requirements of §164.514 and §164.308, or who would like advice on how to communicate the difference between PHI vs PII to members of the workforce during HIPAA training are advised to speak with independent compliance professional.
