Last year, news broke that Morgan Stanley had agreed to pay $60 million to resolve a data security lawsuit by disgruntled customers. The class-action suit was filed against the financial services giant on behalf of about 15 million customers over the handling of their personal data.
More specifically, over how Morgan Stanley had failed not once but twice, in 2016 and 2019 respectively, to properly retire some of its older data center equipment. The oversight left the unencrypted personally identifiable information of current and former clients up for grabs to whoever purchased the assets. Think: people’s dates of birth, social security numbers, home and work contact information, the identity of their family members, plus passport, banking, and credit card information.
Improper safeguarding of sensitive information can cost organizations dearly in terms of time, money, and reputation. More than ever, in fact, according to IBM’s recently published Cost of a Data Breach Report. The study reveals that the global average cost of a data breach has risen to an all-time high at $4.35 million for the entities studied. This means a growth of 13% over the last two years, with the underlying security incidents possibly contributing to the rising costs of goods and services, the findings suggest.
Of course, it’s hard to protect what you don’t even know you have. And in a field that’s big on acronyms, it can be a bit of a challenge to tell the most thrown-around ones apart and not to make the mistake of using them interchangeably. In this article, we’re taking a deep dive into the PII vs. PHI conundrum, including the overlaps and differences between personally identifiable information and protected health information in terms of definition, requirements for regulatory compliance, and best practices for protection.
What does PII stand for? Definition and examples
Personally identifiable information, or PII for short, is in the simplest of terms any information related to an identifiable person.
It’s defined in Special Publication 800-122 by the National Institute of Standards and Technology (NIST) as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
According to the federal agency, PII examples include:
● Name, such as full name, maiden name, mother’s maiden name, or alias;
● Personal identification number, such as social security number, passport number, driver’s license number, taxpayer identification number, or financial account or credit card number;
● Address information, such as street address or email address;
● Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature, facial geometry);
● Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).
What does PHI stand for? Definition and examples
Protected health information, or PHI, refers to an individual’s health information, whether it’s health status details, medical history, laboratory results, or insurance information, that is created or received by a medical professional or healthcare provider to identify them and determine appropriate care.
This PHI definition was introduced in 1996 under the Health Insurance Portability and Accountability Act (HIPAA), a landmark law that provided consumers with greater access to health insurance and mandated healthcare providers to safeguard the privacy of health data.
There are 18 HIPAA identifiers that, when paired with health information, become protected health information. These are the following:
● Names (full or last name and initial);
● All geographical identifiers smaller than a state;
● Dates (other than year) directly related to an individual;
● Phone numbers, fax numbers, email addresses;
● Social security numbers, medical record numbers, health insurance beneficiary numbers, account numbers, and certificate or license numbers;
● Vehicle identifiers (including serial numbers and license plate numbers) and device identifiers and serial numbers;
● Web uniform resource locators (URLs) and internet protocol (IP) address numbers;
● Biometric identifiers, including finger, retinal and voice prints, as well as face photographic images and any comparable images;
● Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data.
PII vs. PHI: the key differences explained
Now that we’ve covered what the two terms refer to, let’s see what sets them apart. The answer is: context.
Personally identifiable information is an umbrella term for any information that can be used to figure out someone’s identity. Protected health information is a subset of PII. One that includes health information and medical records that can identify an individual and only applies to HIPAA-covered entities who create and share them.
Medical, educational, financial, and employment information can all be classified as PII. PHI, however, only covers records that contain information about an individual’s past, present or future physical or mental condition. Meaning that health information can fall under both PII and PHI, as can financial information if it pertains to payment for healthcare services.
PII confidentiality impact level: how compliant are you?
“All PII is not created equal,” clarifies the NIST. Meaning that personally identifiable information should be evaluated, and its confidentiality impact level defined so the right safeguards can be put in place to protect it. Impact levels range from low through moderate to high, depending on the potential harm individuals and the organization would face if the PII got stolen, misused, or leaked. According to the federal agency, these are the factors that organizations should take into consideration when categorizing information assets:
Think about how easily PII can be used to identify specific individuals. For example, a social security number could uniquely and directly identify an individual, while a telephone area code can belong to a whole set of people.
● Quantity of PII
How many individuals could be identified from the PII, were it illegally accessed? Breaches of 25 and 25 million records can have markedly different consequences. Remember: this factor should only be used to increase the confidentiality impact level.
● Data field sensitivity
Next, assess the sensitivity of PII data fields, both individually and combined. For example, an individual’s social security number or financial account number is generally more sensitive than phone numbers or ZIP codes.
● Context of use
Based on the context of use, the same PII data elements might fall into different impact levels. Let’s say your organization has two lists with the same PII data fields, including name, address, and phone number, where the first list contains newsletter subscribers and the second undercover law enforcement officers. If the second list was leaked, the consequences would be way more far-reaching than in the case of the first.
● Obligations to protect confidentiality
It’s crucial to examine what obligations your organization has to protect personally identifiable information, whether they arise from laws, regulations, or other mandates. For example, the Internal Revenue Service in the US is subject to specific legal obligations to safeguard specific types of PII.
● Access to and location of PII
The nature of authorized access to and the location of PII are also worth considering when determining the confidentiality impact level. The more access people and systems have to the personally identifiable information and the more often it gets transmitted or transported across sites, the higher the risk.
PII, PHI and HIPAA: common violations (and fines) to avoid
“One frequent misunderstanding about HIPAA is that a violation is only a violation when it involves authorized uses and disclosures of PHI,” HIPAA Journal points out. In reality, there are many other HIPAA compliance pitfalls that covered entities and their business associates should be wary of. Failing to train staff on relevant protocols or to document what training they’ve received also count as violations, as does not keeping and monitoring PHI access logs, sharing PHI without having entered into a HIPAA-compliant agreement with a business associate or texting unencrypted PHI.
HIPAA violations can result both in civil and in criminal penalties, mostly depending on severity, intent, duration, and scope. The four-tiered civil penalty structure goes from Tier 1 covering incidents that the organization in question was unaware of and could not have realistically foreseen to Tier 4, applicable to cases of willful neglect without corrections made in a timely manner. As of 2022, the minimum and maximum HIPAA violation penalty amounts are $127 per violation and $60,973 per violation, respectively, with a calendar-year cap of $1,919,173 for multiple violations of the same provision.
The types of violations that typically occur in regard to personally identifiable information include security controls, unauthorized disclosure, unauthorized access, reporting requirements, as well as supervision and training violations. Unauthorized disclosure violation means deliberate, unauthorized disclosure of PII to others and may result in criminal prosecution and criminal penalties consisting of incarceration and monetary fines up to $5,000. The same applies to cases of unauthorized access, which refer to the deliberate, unlawful access to or solicitation of PII.
4 PII and PHI protection best practices
1. Locate, identify, and analyze
Take inventory of PII and PHI within your organization. More specifically, what data is gathered and stored, who can access it, what safeguards have been implemented to keep it safe and, most importantly, what kind of risks you are looking at that might jeopardize the confidentiality, integrity, and availability of data – and PII or PHI compliance.
2. Monitor access – and keep things on a need-to-know basis
Make sure to regularly check who has access to what data – and if that access is absolutely necessary for them to carry out their jobs. In fact, the HIPAA minimum necessary standard specifically requires covered entities to limit unnecessary or inappropriate access to and disclosure of protected health information.
3. Make encryption a default setting
Encryption is simply a must-have for organizations who want to minimize the risk of PII and PHI exposure both at rest and in transit. For the strongest protection, encryption keys should be controlled by the end-user, and they should not be accessible to the service provider at any point of the encryption and decryption process.
4. Turn potential weak links into strengths
Here’s a harsh truth about your PII and PHI protection safeguards: they’re only as effective as the training programs you provide for staff, old and new, on what they mean for them. Check out some ideas from the US Department of Homeland Security on how to empower employees and build a culture of vigilance within your organization.
The solution for PII and PHI worries
Looking for a solution that provides the highest-grade security and PII and PHI protection? Tresorit’s zero-knowledge, end-to-end encrypted workspace gives you full control over the information you store and share. With our encryption technology, data is encrypted right on your device and remains encrypted in transit and on our servers. Only you have access to your encryption keys, ensuring that the information you store in Tresorit, including PII and PHI, is as safe as it can be. Learn more about how Tresorit helps those in the healthcare industry to protect their information.