Key Differences Between PHI and PII

“My doctor recently told me that jogging could add years to my life. I think he was right. I feel ten years older already.”
— Milton Berle

Top Story

Ever wondered about the difference between personally identifiable information (PII) and protected health information (PHI)? Health IT Security provides a deeper insight into the difference. PII is an umbrella term for any information linked to an individual’s identity. PHI refers to identifiable health information shared with HIPAA (Health Insurance Portability and Accountability Act) covered entities. These terms are not interchangeable. Improper use of these terms can lead to compliance issues for healthcare organizations.

What is PII?
Personally identifiable information is any information that can be directly linked to an individual’s identity. PII includes, but is not limited to, Social Security numbers, passport numbers, driver’s license numbers, addresses, email addresses, photos, biometric data, or any other information that can be traced to one individual. Medical, educational, financial, and employment information all fall under PII.
“An organization cannot properly protect PII it does not know about,” notes NIST (National Institute of Standards and Technology). Therefore, understanding the scope of PII and how to protect it is a cornerstone to sufficient data privacy.

What is PHI?
Protected health information is a subset of PII, but it specifically refers to health information shared with HIPAA-covered entities. Medical records, lab reports, and hospital bills are PHI, along with any information relating to an individual’s past, present, or future physical or mental health conditions.

“The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information,” states the HHS (U.S. Department of Health and Human Services) website.

“At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.”

How is PHI Related to HIPAA?
Covered entities are specified in the HIPAA Privacy Rule as health plans, healthcare clearinghouses, and healthcare providers. If a covered entity chooses to work with a business associate that might handle PHI, the entity must have a written business associate agreement (BAA) requiring the business associate to comply with HIPAA standards.

The HIPAA Privacy Rule defines 18 identifiers that make health information PHI under HIPAA. These include names, geographic subdivisions smaller than a state (street address, city, county, zip code), dates, telephone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers, device identifiers and serial numbers, web URLs, IP addresses, biometric identifiers (including fingerprints and voice), full-face photos, and any other unique identifying number, characteristic, or codes.

To separate PHI vs the HIPAA protections the data has, organizations can de-identify health data by removing all 18 elements of PHI. When the data can no longer be tracked back to an individual, it is no longer considered PHI and therefore does not have HIPAA protections.

The goal is to protect PHI and the patient’s privacy, while allowing providers to give the best care, and facilitate care between covered entities. As to not form a complete barrier, the HIPAA Privacy Rules require the patient’s permission for PHI to be shared between covered entities.

Identifiable health information is not considered PHI unless that organization is a HIPAA-covered entity and not all health information obtained by covered entities is considered PHI.

A report using averages of multiple patients’ information, is not considered PHI because the information cannot be tracked back to one person and does not hold the potential to identify any individual.

Residential addresses and phone numbers alone are not PHI, but if they can be linked with healthcare information such as a diagnosis, then it would be considered PHI or PII.

Rules and Regulations of PII and PHI
HIPAA-covered entities that have a data breach involving PII or PHI must report this within 60 days to the HHS. If 500 or more people were affected, they also must notify local media and form a press release and send a formal letter to those affected within 90 days. Each state may also have its own requirements.

Breaches of this nature are regulated by the HIPAA Security Rule, the rule establishes national standards to protect PHI. The rule also requires covered entities to have safeguards in place to ensure that the data stays confidential.

The National Institute of Standards and Technology (NIST) created the “PII confidentiality impact level” standards. This categorized PII into low, medium, and high-risk levels. The levels are based on the potential harm by the data falling into the wrong hands. What goes into each level changes from person to person, so something that is considered high risk for one could be low risk for another.

When a PII breach happens, the incident is required to be reported. Each state has its laws regarding the notification. Currently, most states do not have a strict deadline for when the public as well as the government needs to be notified.

Safeguarding Your Data
In 2020 alone over 500 healthcare providers had ransomware attacks affecting the security of PHI or PII. These attacks are costly in a monetary sense and damage a provider’s reputation. They also put patients at risk for different types of fraud.

There must be administrative, physical, and technical safeguards in place. Administrative safeguards are different policies and procedures which must be maintained by the workforce. Physical ones are a defense against natural disasters and access through physical measures. Technical safeguards such as antivirus software and keeping computers patched. Employees also need to be educated on cybersecurity. The protocols to protect PHI and PII are the same, but if a breach occurs, the damages and how it needs to be handled are different.

Conclusion
It is critical to understand the difference between PHI and PII. Organizations have different obligations when it comes to the two types of data. Knowing the differences and understanding them can save time, and money, and prevent patients from harm.

Diamond of the Week

Pfizer Inc.💎

A new RSV vaccine for pregnant women has been in the works by Pfizer Inc. Recently, an advisory panel of 14 committee members all recommended that the FDA recommend this vaccine for pregnant women. Currently, the vaccine is showing to be 81.8% effective against severe cases in the first 90 days after birth. For more details about the vaccine, and the FDA’s opinion click here.

Who’s the WOAT

Climate Change 😡

Climate Change has been a hot-button topic for quite a while, but as the fires in Canada rage on states such as Wyoming, Nebraska, Washington, and Wisconsin are all facing effects from the smoke. There have been air quality warnings issued across named states, and as the wind shifts cities such as Chicago, St. Louis, and Indianapolis are being affected as well. To read more about the impacts being seen from these fires click here.

Who Knew

Misconception: HIPAA forbids using waiting room lists and other common practices involving medical information.

Wrong! Under HIPAA, providers must use “common sense” privacy protections to guard patient information. Certain diagnoses give those patients affected more protection. Those who are HIV-positive cannot have their name announced in a waiting room. A sign-in sheet may be used (although not in HIV clinics), but can only include names and time of arrival. Reminder postcards may be used, but are only allowed to include date, time, and contact information, and patient reminders must be explained in the Notice of Privacy Practices given to patients. There are many more HIPAA regulations, from how charts should be handled, to needing to at least show a “good faith” effort to obtaining written acknowledgment to Notices.

A Round of Applause For…

Carosh’s CEO Roger Shindell and the Carosh Team👏

As some of you may remember Roger was presenting at Illinois MGMA Conference last week. Roger’s presentation went Ext ordinarily well! A big congratulations to Roger and everyone at Carosh who was involved!