This article will define personally identifiable information, sensitive personally identifiable information, and protected health information as well as provide examples of each.
Personally Identifiable Information (PII) has numerous official definitions, depending on what agency or state law/policy you read, but in general, it is defined as any information that can be used to identify an individual directly or indirectly, such as a name, email address, Social Security Number or IP address.
Sensitive PII (SPII) is generally defined as any PII which if lost, stolen, or disclosed without authorization could result in significant harm to an individual.
Federal agencies and States each have unique privacy protection laws concerning the protection of PII, (see U.S. State Comprehensive Privacy Law Comparison), and in most cases, additional protections such as end-to-end encryption are required for what is considered sensitive PII.
Protected Health Information (PHI) is a specific type of Sensitive PII that is collected by a healthcare provider or other covered entity for the provision of healthcare services. This information is protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires HIPAA-covered entities and their business associates to implement specific technical and operational safeguards to protect PHI.
Identification
The PII/Sensitive PII/PHI identification charts below were compiled from information gathered from the Department of Homeland Security’s Handbook for Safeguarding Sensitive Personally Identifiable Information and the U.S. Department of Health and Human Services.
Personally Identifiable Information (PII)
Sensitive PII (SPII)
Stand-Alone | Any PII Combined With the Following |
Alien registration number Biometric identifiers Credit card number Driver's license or state ID number Financial account number Passport number Social Security number (SSN)
| Account passwords Citizenship or immigration status Criminal history DOB Last 4 digits of SSN Mother's maiden name Ethnic or religious affiliation Medical information Personal financial information Sexual orientation Any other information which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual
|
Protected Health Information (PHI)
Health Information (physical, electronic, or spoken) + Identifier + collected by a HIPAA-Covered Entity or School or University or Employer or Business Associate of a HIPAA-Covered Entity + in relation to the provision of healthcare or payment for healthcare services.
Health Information | Identifiers | HIPAA-Covered Entities | Business Associates of HIPAA-Covered Entities |
Allergies Medications Family medical history Health histories Health records Lab test results Medical bills Past, present, and future health conditions or physical/mental health Prognosis Treatment/Rehabilitation plans X-rays Any other information about a person's health
| Account numbers Biometric identifiers (i.e. retinal scan, fingerprints) Certificate/license numbers Dates, except year Device identifiers and serial numbers Email addresses Fax numbers Geographic data Full face photos and comparable images Internet protocol addresses Health plan beneficiary numbers Medical record numbers Names Social Security numbers Telephone numbers Vehicle identifiers and serial numbers including license plates Web URLs Any unique identifying number or code
| Most health care providers - Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing homes, Pharmacies Health insurance companies HMOs (Health Maintenance Organizations) Employer-sponsored health plans Government programs that pay for health care - such as Medicare, Medicaid, and military and veterans’ health programs Clearinghouses - organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations
| Data analysis, storage, and transmission services Legal and accounting services Billing and benefit management services Actuarial and claims processing services Any other businesses that perform activities which require them to have access to patient health information in order to provide services for or on behalf of health industry entities
|
Personally Identifiable Information. Any information that could be used alone or with other relevant data to identify an individual. Some examples of PII include passport information, race, and date of birth.
Internet Protocol.A set of rules for communication over the internet or a local network, such as sending mail, streaming videos, or connecting to a website.
Sensitive Personally Identifiable Information. Any data that if lost, stolen, or disclosed without authorization could result in significant harm, embarrassment, inconvenience, or unfairness to an individual. Some SPII examples include, but are not limited to, Social Security or driver's license numbers.
Protected Health Information. Any information within an individual's medical record that can personally identify them and is created, used, or shared during diagnosis or treatment. Some examples of PHI are blood test results, phone records, and billing information from a doctor.
Health Insurance Portability and Accountability Act of 1996.
Identification or Identifier.