PII in healthcare refers to any information that can be used to identify a specific person, such as a name, Social Security number, or date of birth. In the healthcare world, PII overlaps heavily with a related but distinct legal category called Protected Health Information (PHI), which is the term used by HIPAA. Understanding the difference between these two concepts, and knowing exactly what data qualifies, matters for anyone who works with patient records, manages a practice, or simply wants to know how their personal data is handled.
PII vs. PHI: A Key Distinction
PII is a broad term used across industries. It covers any data point that could identify you: your name, address, phone number, email, driver’s license number, or biometric data like fingerprints. Every sector from banking to retail deals with PII.
PHI is the healthcare-specific version, defined by HIPAA. It’s created when any of 18 specific identifiers are linked to health information. That health information includes anything related to your past, present, or future physical or mental health, the care you receive, or how that care is paid for. A name by itself is PII. A name attached to a diagnosis, lab result, or hospital bill becomes PHI.
This distinction has real legal consequences. PHI falls under HIPAA’s Privacy and Security Rules, which apply to healthcare providers, health plans, and their business partners. PII that isn’t tied to health data may be governed by other laws (like state privacy statutes or FTC regulations) but not by HIPAA itself. Northwestern University’s research compliance office defines PII used in research contexts as data that is “not considered PHI and is therefore not subject to the HIPAA Privacy and Security Rules.”
The 18 HIPAA Identifiers
HIPAA specifies exactly 18 types of identifiers. When any of these are connected to health information, the result is PHI. The full list includes:
- Names
- Geographic data smaller than a state (street address, city, county, ZIP code)
- Dates directly related to an individual (birth date, admission date, discharge date, date of death), plus all ages over 89
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and license plate numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographs or comparable images
- Any other unique identifying number, characteristic, or code
Some of these are obvious (your name, your Social Security number), but others surprise people. An IP address logged when you access a patient portal counts. A serial number on a medical device implanted in your body counts. A photograph of your face counts. The list also extends beyond the patient themselves to include identifiers of relatives, employers, and household members.
How Healthcare Data Gets De-Identified
When hospitals, insurers, or researchers need to use health data without triggering HIPAA protections, they strip out the identifying information through a process called de-identification. HHS recognizes two approved methods.
The Safe Harbor method is the more straightforward approach. It requires removing all 18 identifiers from the dataset. There are a few specific rules worth noting: you can keep the year portion of dates but must remove the month and day, anyone over 89 must be lumped into a “90 or older” category, and you can keep the first three digits of a ZIP code only if that three-digit zone contains more than 20,000 people. If it doesn’t, those digits get replaced with “000.”
The Expert Determination method is more flexible but requires hiring a qualified statistician or data scientist. That expert must apply accepted scientific methods to verify that the risk of re-identifying any individual is “very small,” then document their analysis. This approach lets organizations keep more data detail intact while still meeting the legal standard.
The Minimum Necessary Rule
Even when sharing PHI is legally permitted, HIPAA doesn’t give organizations a blank check. The Privacy Rule requires covered entities to limit what they use, disclose, or request to the minimum amount of information needed for the task at hand. A billing department processing a claim doesn’t need your full medical history, only the codes and details relevant to that specific charge.
Organizations are expected to define which employees or roles can access which categories of information, and under what conditions. For routine, recurring disclosures, they can set standard protocols rather than reviewing every individual request. Non-routine requests require case-by-case review.
There are notable exceptions. The minimum necessary rule does not apply when a provider is sharing information for treatment purposes, when a patient requests their own records, or when a patient has signed an authorization for a specific disclosure. It also doesn’t apply to disclosures required by other laws or to HHS enforcement actions.
What Happens After a Breach
When PII or PHI is exposed in a breach, HIPAA’s Breach Notification Rule sets strict timelines. Organizations must notify affected individuals within 60 days of discovering the breach. If 500 or more people are affected, the organization must also alert HHS and prominent media outlets in the same 60-day window. Breaches affecting fewer than 500 people can be reported to HHS annually, with reports due no later than 60 days after the end of the calendar year in which they were discovered.
Business associates, the third-party vendors and contractors that handle data on behalf of healthcare organizations, face their own 60-day deadline to notify the covered entity when they discover a breach.
Financial Penalties for Violations
HIPAA enforcement uses a four-tier penalty structure based on the level of negligence involved. At the lowest tier, where the organization genuinely didn’t know about the violation, fines range from $100 to $50,000 per violation with an annual cap of $25,000 for repeat offenses. When there’s “reasonable cause” but no willful neglect, fines start at $1,000 per violation with an annual cap of $100,000.
The penalties escalate sharply for willful neglect. If the problem is corrected within the required timeframe, fines range from $10,000 to $50,000 per violation, capped at $250,000 annually. If it’s not corrected, every violation carries a flat $50,000 penalty with an annual maximum of $1.5 million. These are civil penalties; criminal violations can carry additional consequences.
Health Apps and Data Outside HIPAA
A growing amount of health-related PII lives outside HIPAA’s reach entirely. Fitness trackers, period-tracking apps, mental health platforms, and wellness apps collect deeply personal health data, but because these companies typically aren’t healthcare providers or health plans, HIPAA doesn’t apply to them.
The Federal Trade Commission fills part of this gap through its Health Breach Notification Rule, which requires vendors of personal health records to notify consumers when their unsecured data is breached. If 500 or more people are affected, the company must also notify the media. But this rule covers breach notification, not the broader set of privacy protections that HIPAA provides for data held by traditional healthcare entities.
State laws add another layer. California’s CCPA, one of the strongest state privacy laws, explicitly exempts certain medical information that’s already covered by other health privacy statutes. This means data held by your doctor or insurer is generally governed by HIPAA rather than the CCPA, while health data collected by non-HIPAA entities (like a wellness app company based in California) may fall under state consumer privacy protections instead. The regulatory landscape is fragmented, and which rules apply to your data depends largely on who collected it.