PII vs PHI: Key Differences and What You Need to Know

PII vs PHI: Key Differences and What You Need to Know blog banner image

Personally identifiable information (PII) and protected health information (PHI) are two categories of user data that are heavily regulated and protected. Under an ever-expanding set of international laws regarding sensitive personal information, failure to properly handle PII vs PHI can leave businesses open to regulatory or legal repercussions, as well as reputational damage.

This guide explains the differences between PII and PHI, their legal implications, and the data privacy best practices that you should follow to protect your users’ personal and health data. It also outlines the technologies and processes you must implement to ensure compliance with local and international data privacy regulations such as GDPR, CCPA, and HIPAA.

What is personally identifiable information (PII)?

Personally identifiable information is data that can be used to identify an individual. You collect this information during the course of your business activity: Names, phone numbers, email addresses, and postal addresses can all be used to uniquely identify a person, and so are all considered PII. Even information that cannot be directly linked to a person is considered PII if it can be matched to other information to indirectly link them — for example, a person’s job title and employer does not directly identify them, but this information can be easily correlated with public information to find that person’s identity.

PII can be misused in a number of ways. It can be used by criminals for identity theft, invading people’s privacy, online scams, stalking, and can be linked to potentially embarrassing information for extortion and blackmail. Personal information is also valuable to advertisers, who may (illegally) use it to target or directly approach your or your business with the aim of making a sale, using information that you did not know they had about you to influence you.

Because of this, PII must be stored and processed securely on your digital infrastructure, not just because it is protected by regulations such as GDPR and CCPA, but because the misuse or leaking of PII (for example through a cybersecurity incident) can have negative consequences for your staff and customers, and thus your business. If you violate the trust others place in keeping their information secure, they will not look favorably on doing business with you in the future.

What is protected health information (PHI)?

Protected health information is a type of PII, specifically regarding healthcare information. It includes things like appointments, medical records, test results, and health plan information. PHI is created in the course of the operation of healthcare providers.

In the United States, the protection of PHI is regulated by the Health Insurance Portability and Accountability Act (HIPAA). Covered entities (any party that handles PHI, from healthcare organizations down to individual employees) and business associates (any party that provides services to covered entities and handles PHI as part of their responsibilities, such as IT service providers) must meet or exceed the prescribed measures to protect their sensitive user data, or face regulatory punishment.

Key differences between PII and PHI

All PHI is PII, but not all PII is PHI. Healthcare information is generally more sensitive than just identifying information, providing specific, actionable information that may be embarrassing or could be used to cause emotional, financial, or physical harm to the individual. Because of this, the misuse or unintentional disclosure of protected health information often comes with harsher punishment, and due to its nature, individuals may have a greater chance of proving damages from its unauthorized use.

PHI is clearly defined by HIPAA so that it can be identified and properly protected. Healthcare-related data is considered PHI if it meets any of the 18 HIPAA identifiers. If you handle these categories of information in a healthcare context in the United States, you should ensure that you are compliant with HIPAA and adequately protect your PHI in addition to following established industry best practices for storing and processing PII.

Legal implications and compliance (GDPR, CCPA, HIPAA)

The General Data Protection Regulation (GDPR) is Europe’s data protection law. It regulates the collection, processing, and storage of PII for individuals in the European Union, so if you handle data for EU citizens, GDPR applies to you (even if you aren’t located in the EU yourself). The California Consumer Privacy Act (CCPA) is a similar law enacted in California that stipulates how PII should be handled for residents of the US state.

Generally, GDPR and CCPA require that you take adequate measures to both protect the personally identifiable information you handle, and respect the wishes of the data subjects. These measures include:

  • Identifying the sensitive data you handle and undertake risk analysis.
  • Implementing technical and organizational processes to protect PII from unauthorized access.
  • Protecting data from misuse, including data destruction/loss or unauthorized alteration.
  • Disclosing all data collection and processing practices, and their purpose, to your users.
  • Collecting and storing only the data required for a specified purpose.
  • Providing mechanisms for individuals to access their personal data, and request its deletion.
  • Notifying subjects in the event that their data has been (or may have been) breached, lost, or accidentally disclosed.
  • Disclosing all third parties who will have access to, store, or process data and making sure that you have guarantees that they are also compliant with the relevant regulations.

Penalties for not adhering to GDPR and CCPA can be severe, ranging from civil penalties in the millions, to private legal action if a user has suffered harm as a result of a breach. Meta (Facebook’s parent company) was recently served with a 1.4 billion dollar fine for transferring PII from the EU to the US in breach of GDPR, while DoorDash has been fined $375,000 for violating CCPA.

On top of this, protected health information covered by HIPAA comes with additional penalties if it is not properly handled. In 2024, Heritage Valley Health System was fined $950,000 for HIPAA violations including failing to conduct risk analysis and not implementing procedures for restricting access to PHI.

Best practices for handling PII and PHI

The first and most important thing you should do to ensure that you are compliant with the laws surrounding PII in your (and your users’) jurisdiction is to read and understand the legislation from its original source — blog posts like this aim to be helpful and give you a thorough overview, but you must refer to the laws themselves if you want to be able to properly meet the requirements they set out.

The second thing you should do is choose the right tools and technology for your IT infrastructure. Everything from the desktop software, to web-based tools, and cloud platforms you use to host data should all be compliant with the relevant data privacy regulations and provide their own guarantees as such. This will reduce the amount of work you need to do to meet regulations, and future-proof your IT infrastructure: As you expand and need to store more sensitive data, you do not want to have to replace or duplicate existing systems as they are not compliant with privacy regulations (creating dreaded technical debt).

From there, you can build the infrastructure and enact the organizational practices required to meet the privacy expectations of your users and the legal regulations surrounding the PII and PHI that you handle. At a minimum, this should include:

  • Data encryption at rest and in transit: Data encryption is vital to any modern digital infrastructure. In the event of a breach, encrypted data cannot be used by an attacker without the encryption key.
  • Employee training and awareness: Employees and contractors should be aware of their responsibilities towards data privacy, and regular training should take place to reinforce the best practices they should follow.
  • Data access controls and monitoring: Authentication and authorization using role-based access control (RBAC) should be used to restrict access to PII and PHI to only those who require it. Access should be monitored, so that unauthorized access can be detected and stopped.
  • Incident response and breach notification procedures: Procedures to detect breaches, and notify affected parties should be in place. Once a breach has been detected, the impact should be assessed and immediate action should be taken to isolate and rectify the attack vector. Endpoint detection and response (EDR) can assist with this by monitoring endpoints for suspicious activity, proactively mitigating and resolving threats, and notifying security teams.
  • Data backup and disaster recovery: Data backup is paramount to the continuity of any modern business. If you are handling PHI, HIPAA has additional data backup requirements that you need to satisfy.
  • Data redaction and masking: You can reduce the implications of a data breach by redacting PII and PHI where it is not required. For example, data shared with third parties can have PII stripped out, eliminating the risk of them being a potential cause of a data breach. Data masking can be used internally to hide PII/PHI from users who do not need to see it to further reduce the potential for accidental disclosure.
  • Regular data inventory and risk assessment: Know your data. You cannot protect data that you are not aware of, so regularly audit your data collection methods, making sure that you are only collecting the data you require for your stated purpose. Identify what data you have, where it is stored, and how it is used, so that you can perform accurate risk assessments.

In addition to this, you should have the required processes in place so that the subjects of the PII and PHI that you store and process are able to request copies of their data, update it, and request its full deletion from your systems. You should also ensure that your staff and contractors follow the required regulations and that they follow data security best practices so that they do not become a vector of cyberattacks.

Your IT infrastructure must enable healthcare data security, or your business is at risk

It is important that you understand the difference between PII and PHI so that you can ensure the correct procedures are followed. PHI comes with additional healthcare data security requirements, and potentially greater repercussions if sensitive health information is misused.

As part of your broader IT strategy, you should ensure that the platforms you use to manage your IT infrastructure and ensure its security are HIPAA compliant in addition to complying with GDPR and CCPA privacy laws.

NinjaOne provides a HIPAA-compliant remote access, backup, and RMM platform that meets HIPAA data backup requirements, as well as providing full visibility into your infrastructure so that you can be confident that all necessary measures to protect sensitive personal information are being taken.

Next Steps

For MSPs, their choice of RMM is critical to their business success. The core promise of an RMM is to deliver automation, efficiency, and scale so the MSP can grow profitably. NinjaOne has been rated the #1 RMM for 3+ years in a row because of our ability to deliver an a fast, easy-to-use, and powerful platform for MSPs of all sizes.
Learn more about NinjaOne, check out a live tour, or start your free trial of the NinjaOne platform.

You might also like

Ready to simplify the hardest parts of IT?
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).