Over the years, we’ve gained extensive experience helping customers make heads or tails of HIPAA. With that perspective comes insight into what people ask most often. One common question is, “What is the difference between PHI and PII, and does PHI require more protection than PII?”

In short, PHI involves health information while PII does not. Are PHI protection policies more stringent? Not necessarily. But they are different.

And it is those differences that must be taken into account when vying for HIPAA compliance.

What is PHI?

Protected Health Information (PHI) involves information gleaned while providing a healthcare service. This can be health-related information specifically, such as diagnoses, medications, and treatment plans. Additionally, it includes non-health information such as the payment data used to cover treatment, the patient’s date of birth, or any other information maintained in the same dataset that could identify an individual. This applies when an organization is handling the information subject to HIPAA regulations.

The key phrase here is “in the same dataset,” which refers to a dataset containing other identifying health-related data points. Datasets void of health information (like those containing names and addresses only) do not count, even if owned by a healthcare organization. PHI also can be created, such as in studies that produce new medical findings. When this data enters the medical record or is used for healthcare services, it becomes subject to HIPAA regulations.

What PHI is Not

It may seem like splitting hairs, but there are many other exceptions where health-related information does not qualify as PHI:

  • RHI (research health information) is data used in research that can identify a person but is not defined as PHI because it was not obtained in the process of providing a healthcare service, such as paying a medical payment or visiting a doctor. RHI therefore is protected under separate federal laws governing privacy and research.
  • Health information that cannot be used to identify an individual. For instance, blood work alone would not qualify as PHI. But, if that blood work were stored in the same dataset as a patient’s medical record number, it could now be linked to the patient and would qualify as PHI.

In these cases, HIPAA rules would not apply.

What is PII?

The U.S. Department of Labor defines Personally Identifiable Information (PII) as information:

  1. “That directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.),”


  1. “By which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification.”

Defined more succinctly, the U.S. Department of Defense states, “Personally identifiable information (PII) is any information that can be used to distinguish or trace a person’s identity.”

In a healthcare context, this type of information gets thrown around daily – names, addresses, insurance information, etc. However, if it is not stored in the same dataset as medical information or was not used in the course of providing or receiving a healthcare service, it does not qualify as PHI. A credit card number is PII, but once it is used to pay for treatment at a hospital and stored in a data set that designates it so, it becomes PHI.

PHI Protected by HIPAA

While 18 identifiers were originally used to determine what was considered PHI (and what needed to be taken out to de-identify patient health data), the list is now 20 years old and does not account for identifiable factors such as social media aliases, emotional support animal ownership, and LGBTQ statuses.

PHI protected by HIPAA is individually identifiable health information handled by a HIPAA covered entity or business associate. This includes health information and any non-health information maintained in the same designated record set. The key here is that any non-health information stored in the same place as identifiable health information could be corroborated and further used to identify an individual; therefore, qualifying it by virtue of its location in that dataset as PHI protected by HIPAA.

HIPAA Compliance Expertise from Alert Logic

While these are accurate and definitive definitions of PHI as it relates to mandatory HIPAA security requirements, they are still just the tip of the iceberg. Learn from our experts in the field who have been working with organizations just like yours – healthcare providers and business associates alike – to create and maintain HIPAA-compliant architectures, ensure consumer and partner trust, and avoid unnecessary compliance fines.

Fortra’s Alert Logic can help you advance your HIPAA compliance strategy and navigate the nuances, complexities, and business-specific applications that come up. When it comes to keeping patient PHI secure, adhering “by the book” to legal regulations like HIPAA will only ensure their safety and yours. Lean on Fortra’s expert advice and let us help you become confidently HIPAA-compliant, as we’ve helped so many other companies before.

Katrina Thompson
About the Author
Katrina Thompson
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.

Related Post

Ready to protect your company with Alert Logic MDR?