PHI vs. PII: What's the Difference for HIPAA Compliance?

For most healthcare organizations, protecting patient privacy is the most important aspect of HIPAA compliance, and the most difficult. HIPAA uses the term Protected Health Information (PHI) to refer to protected data, but the concept is very similar to the term Personally Identifiable Information (PII), which is used in other compliance regimes. Understanding how PII and PHI overlap can help organizations unify compliance efforts across regimes, reducing the risk, cost and complexity of keeping data safe.

PII Definition and Examples

As the name suggests, Personally Identifiable Information, PII, refers to any data that can identify a person. Certain information like full name, date of birth, address and biometric data are always considered PII. Other data, like first name, first initial and last name or even height or weight may only count as PII in certain circumstances, or when combined with other information.

For example, a record that referred to “Mr. Smith in New York” would be unlikely to contain enough information to give away the subject’s identity. If the patient had a less common name and lived in a small city, however, it would probably count as PII, since it would be easy to deduce who the subject was.

PHI Definition and Examples

Protected Health Information, PHI, includes anything used in a medical context that can identify patients. Although it doesn’t explicitly address personally identifiable information, the HIPAA Security Rule regulates situations like this under the term Protected Health Information (PHI). Some examples of PHI data can include:

• Name
• Address
• Date of birth
• Credit card number
• Driver’s license number or image
• Medical records

PHI is subject to strict confidentiality and disclosure requirements that don’t apply to most other kinds of data in the United States. In other words, protecting PHI is always legally required, but protecting PII is only mandated in some cases.

Developing a Unified Compliance Approach

The United States is unusual in that it doesn't have one single privacy and data protection standard or government entity. Instead, American companies face industry-specific laws, along with city, state and international compliance regulations depending on the customers or partners they serve.

Although this allows many industries to use consumer data more extensively, it also creates serious compliance risks. For example, because California PII laws are tougher than other states, a company that legally tracks users from Nevada when they visit its website could breach compliance if a Californian surfed in.

Although PHI requirements are strict, a HIPAA compliance checklist won’t necessarily address financial regulations like PCI and GLBA, EU data protection laws like GDPR, and other regulations. Rather than developing individual programs for each compliance regulation, organizations should implement PII encryption best practices across the board, then iterate to meet the regulation-specific rules that remain.

PII and PHI Security Across Industries

Good security starts with identifying PII across your organization, whether it’s in medical databases, email, backups, or a vendor's IT environment. PII then needs to be categorized by how much harm a breach could cause — a measurement known as the confidentiality impact level, outlined in NIST SP 800-122. NIST recommends considering the following factors:

• Identifiability: Is it easy to uniquely identify the specific individuals using the PII?
• Quantity of PII: How many identities could be compromised by a breach? The way your data is organized is a factor. For example, a medical clinic would likely have more PII at risk if it shared a database with allied clinics than if it maintained a separate database. Likewise, if an organization stores PII during onboarding for new employees, a larger-scale business would likely have a greater quantity of employee PII to protect. 
• Data Field Sensitivity: How much harm could the data cause, if breached? A phone number is less sensitive than a credit card or social security number, for example. However, if a breach of the phone number would most likely also compromise name, SSN or other personal data, that phone number should be considered sensitive. Schools entrusted with student PII data, like IEPs and medical records, should also consider the impact of a breach on student privacy and safety. 
• Context of Use: Does the way the information is used affect its impact? For example, imagine your hospital had an opt-in a newsletter to patients, doctors, organizations and other community members. A list of newsletter subscribers would contain the PII of some patients, but that info would be less sensitive than the same PII in patient medical records, since it wouldn’t necessarily indicate patient status.
• Obligations to Protect Confidentiality: What information are you required to protect under HIPAA, HITECH, PCI, and other compliance regimes? This is obviously a key consideration for healthcare organizations, but it can also be vital for fintech and insurance businesses as well.
• Access to and Location of PII: The personally identifiable information HIPAA governs is often stored, transported and processed by third party IT services, accessed offsite by medical professionals who aren’t employees of the organization and processed by a variety of business associates. This creates risks that wouldn’t be present, for example, if the PII were locked in a vault, and could only be accessed by one doctor.

Implementing PII Security Best Practices

Any data you store is potentially vulnerable. Collecting less data and purging unnecessary PII from your records is the easiest way to reduce that vulnerability. You should also de-identify data where possible. When done properly, measures like anonymizing patient feedback and remove or tokenizing PII can take that data out of the scope of HIPAA entirely.

Access control is another valuable PII security best practice. Sensitive information should only be accessible by people who need it to do their jobs. For example, front desk staff that don’t handle billing, don’t need access to complete medical records.

In any compliance regime, all sensitive information should be encrypted by default. HIPAA compliant email and encrypted cloud storage prevent hackers from deciphering PII, even if they intercept it.

Explicit policies and regular trainings can help ensure your workers use secure email and storage, but getting patients to use email encryption is trickier. Many balk at the inconvenience of healthcare portals (understandably so), leading to very low adoption rates.

But Virtru is a different PHI encryption solution: Virtru email encryption and secure file transfer solutions allows patients to use their existing email accounts to receive and reply to secure messages and attachments, removing friction and frustration from the patient communication experience.

How to Automate PHI and PII Security for HIPAA 

Virtru makes it easy to apply data security for PHI and PII whenever it needs to be shared via email, files, or SaaS apps. Here are a few ways that customers are doing this today: 

Detect PHI or PII Keywords in Sent Emails

Virtru's products allow admins to set specific keywords to flag for sensitive information. You can designate words or data formats (like "social security number" or "###-##-####") and then choose your preferred course of action — you can warn the user before sending, or choose to automatically encrypt the message before it leaves your domain. Virtru-encrypted emails can then be controlled by the sender and the admin, allowing you to change or revoke access permissions at any time.

“Virtru isn’t complacent—it actually educates our staff on HIPAA and CJIS compliance requirements as they do their normal work. We use the administrator tools and warning messages to highlight keywords that are included in emails, prompting senders to simply click for encryption.” - Richard Juliano, Chief Technology Officer, Columbia County, NY

Case Study: Virtru Alerts Columbia County, NY Employees When to Encrypt Sensitive Data for CJIS and HIPAA Compliance

Revoke Access to PHI or PII Sent in Error

A persistent issue for healthcare organizations is PHI or PII being sent to the wrong person. This is incredibly common when healthcare teams are working quickly. With Virtru email security and Virtru Secure Share, any protected email or file can be revoked at any time, and you can view forensics on whether the email or file has actually been accessed by the recipient. This is useful for auditing and reporting purposes.  

“Just having data encrypted point-to-point doesn't solve the problem. It's just one issue, but if that's all it took, then Gmail, Google Workspace, and Office 365 would be sufficient. The real issue is, ‘What do you do when you send PHI to the wrong person?’ We have people with multiple ‘Johns’ in their contact list — they may send it to the wrong John. We had a client going through a major breach because of social engineering: Someone spoofed a member of upper management, and an employee sent out a file with names and PHI. It became a real issue — we had to report it as a breach to The Department of Health and Human Services. If they’d had Virtru, they could have just denied access to the email and this entire crisis could have been averted. The impact would have been limited, it would have had tracking, and they could have changed the access controls. Now, the horse is out of the barn. The barn is on fire. It’s, ‘What do we do now?’“ - Jason Karn, Chief Compliance Officer, Total HIPAA

Case Study:Total HIPAA Uses Virtru for Proven, Persistent Control of PHI

Enable Encryption in CRM Apps like Zendesk and Salesforce

When you're communicating sensitive information to patients or customers via apps like Zendesk or Salesforce, you may not have comprehensive data protection in place across the full lifecycle of the PHI or PII, especially in the scenarios mentioned above where sensitive information ends up in the wrong person's inbox. This is where Virtru makes it easy to apply access control and security to information sent via these CRM applications, giving you confidence that sensitive PII and PHI remain protected for HIPAA and other compliance requirements.

"Zendesk is not natively HIPAA compliant with email. A lot of people don't realize that." The Secure Share integration enables support teams to securely exchange sensitive information with customers. "We have a lot of that back-and-forth requesting and sending in Zendesk. There's lots of different variances in the world of healthcare. We want to do our best to protect our customers and their data." -Daniel Brundige, VP of Information Technology, Bennie 

Case Study: Bennie Automates HIPAA Compliant Data Workflows in Gmail and Zendesk

"We want to make our communication as consumer-friendly as possible. The healthcare industry is moving that direction, because it’s what patients and families expect. For example, we communicate with a lot of young parents who are used to seamless experiences in other industries. We want to be 100% compliant and make sure the data we’re sending outside our network is secure.” -Steven Schwartzberg, Director of Information Systems 

Case Study: Tribeca Pediatrics Uses Virtru for Seamless, HIPAA-Compliant Messaging with Families

HIPAA Business Associates (BAAs)

HIPAA goes beyond PII security best practices in its requirements for partner organizations. Under the HIPAA privacy rule, health care providers have considerable legal liability for breaches caused by business associates.

Cloud services, contractors, medical claim processors and most other organizations which use, store or process PHI all count as business associates. You need to sign Business Associate Agreements (BAAs) with each of these organizations, describing:

• Appropriate use of PHI
• Safeguards for preventing breaches
• Steps to remediate breaches and violations
• Breach notification procedures

Your organization should evaluate business associates carefully to ensure they’re actually capable of holding up their end of the bargain. Organizations should have clearly documented data security policies and practices in place before they sign a BAA, and should voluntarily undergo regular audits to ensure compliance.

HIPAA Notices and Notifications

HIPAA also has strict requirements for how health information can be used and disclosed, and requires a notice of privacy practices be provided to the patient. The notice of privacy should cover a range of information, including:

• How the organization can use and disclose the patient’s information
• The patient’s rights
• The organization’s duty to protect the information, and other legal duties
• Who the patient should contact for more information

HIPAA also has specific rules for breach notification. Under HIPAA compliance best practices organizations must notify anyone whose data has been compromised within 60 days of the breach. Making sure your partners use encryption is crucial. Encrypted data is exempt from breach notification, unless the key is exposed as well. In many cases, this can make the difference between a close call and a costly breach notification.

Following PII security best practices helps organizations err on the side of caution. HIPAA isn’t a set of arcane and arbitrary rules to make your life difficult — it’s a useful framework to ensure a high standard of care and confidentiality for your patients. A PII best practices approach simplifies compliance by turning it into a single set of rules that can be used across your organization. That makes it easier to keep patients safe, and ensure sensitive information doesn’t fall through the cracks.

Ready to see how Virtru can help you secure PII and PHI in support of HIPAA, PCI, and other related compliance regulations? Contact us for a demo.