Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but doesn’t provide legal consultancy. If you’d like to make sure that you comply with HIPAA guidelines, we encourage you to consult an attorney.
Personally identifiable information (PII) and protected health information (PHI) may seem similar. However, there are critical distinctions between the two. While PII is a catch-all term for any information that can be associated with an individual, PHI applies specifically to HIPAA-covered entities dealing with identifiable patient information.
Keeping HIPAA compliant and protecting patient information requires healthcare organizations to understand the differences between PII and PHI. Especially if they want to use such data to promote their services or improve the digital customer experience.
This blog post explains what differentiates PHI from PII and the key identifiers that change health information into PHI under HIPAA. You will also learn how your organization can protect PHI and run compliant marketing activities.
PII stands for personally identifiable information, an American legal term for any information that identifies, links, or relates to a person, including:
- Full name
- Home address
- Email address
- Social security number
- Passport number
- Driver’s license number
- Credit card number
- Date of birth
- Telephone number
- Owned properties, e.g., vehicle identification number (VIN)
- Login details
- Processor or device serial number
- Media access control (MAC)
- Internet Protocol (IP) address
- Device IDs
US government agencies and non-governmental organizations often reference PII. That said, the US lacks an overriding law covering PII in all 50 states, so your understanding of PII may differ depending on the state or sector you operate in. A common definition is provided by the National Institute of Standards and Technology (NIST):
PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
Medical, educational, employment, and financial information all fall under PII. However, the line between PII and other kinds of information is vague. As the US General Services Administration stresses, the “definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified”.
Healthcare organizations deal with sensitive information concerning people’s health. In the US, safe parameters for using this kind of data in different contexts, including marketing, are set by the Health Insurance Portability and Accountability Act (HIPAA).
The definition of protected health information is broad. PHI and electronically protected health information (ePHI) mean any identifiable data about the patient, including name, address, date of birth, SSN, device identifiers, email addresses, biometrics, lab or imaging results, medical history, and payment information.
Thus, PHI is a subset of PII that refers explicitly to information processed by HIPAA-covered entities. When health information is combined with a personal identifier, the data becomes PHI.
What are HIPAA-covered entities?
Covered entities are specified in the HIPAA Privacy Rule as health plans, healthcare clearinghouses, and healthcare providers.
The Department of Health and Human Services (HHS) lists the 18 HIPAA identifiers:
- All geographic subdivisions smaller than a state (street address, city, county, zip code)
- Dates, including birthdate, admission date, discharge date, and date of death
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary numbers
- Account number
- Certificate/license number
- Vehicle identifiers and serial numbers, including license plate number
- Device identifiers and serial numbers
- Web URL
- IP address
- Biometric identifiers, including fingerprints and voice
- Full face photo
- Any other unique identifying number, characteristic, or code
As a result, not all health information acquired by organizations constitutes PHI. For example, phone numbers and residential addresses alone are not PHI. But if this data is connected with details about a health condition, treatment plan, or other particular health information, it would transform from PII to PHI.
In a Bulletin, the Office for Civil Rights (OCR) at the HHS stated that PII collected on a covered entity’s website or app is PHI, even if the individual does not have an existing relationship with the entity. Moreover, it’s considered PHI even if the identifiable data
doesn’t include specific treatment or billing information. When a covered entity collects such information, it indicates that a person has received or will receive health care services or benefits from the covered entity.
For more details on what qualifies as PHI, visit the HIPAA journal.
The requirements for processing PHI help protect patient privacy and allow making care coordination easier. The HIPAA Privacy Rule ensures that PHI is shared and used only with patient permission or for care coordination between covered entities. Identifiable health information is not considered PHI unless that organization is a HIPAA-covered entity.
Another area important in understanding PII and PHI is the penalties for non-compliance with applicable regulations. As PHI applies specifically to HIPAA-covered entities that possess identifiable health information, using the terms interchangeably can lead to compliance issues. PII and PHI penalties are primarily financial, but in severe cases they may also include incarceration.
To help organizations manage and protect PII appropriately, the National Institute of Standards and Technology (NIST) created the “PII confidentiality impact level” standard, allowing entities to categorize PII into low, moderate, or high-risk levels. The levels are determined by evaluating the potential harm to individuals and the organization if the PII ends up in the wrong hands.
What is high-impact PII for some could be at a low impact level for others. Each organization will have different needs depending on the types of PII they are storing and the way it is organized. For example, Social Security Numbers are more sensitive than phone numbers and may be categorized at a high confidentiality impact level. In addition, a breach involving the information of 30 people will likely be less impactful than one involving 300,000 people.
When a PII breach occurs, businesses must report the incident. But data breach notification laws vary state by state. US lawmakers have introduced legislation requiring companies to notify the government within 24 hours of a data breach. Many states do not have strict deadlines when businesses report a violation to the government.
Deliberate, unauthorized disclosure of PII to others may result in incarceration and fines of up to $5,000.
The HIPAA Security Rule strictly regulates PHI breaches. It “establishes national standards to protect individuals’ electronic personal health information created, received, used, or maintained by a covered entity.”
PHI penalties are primarily financial and can be applied to healthcare providers, health plans, healthcare clearinghouses, and all other health organizations and business associates who have violated HIPAA rules.
In the case of PHI, HIPAA-covered entities that face a data breach are legally required to notify the HHS and state agencies within 60 days of the breach. If the breach impacts more than 500 residents of a state, organizations must notify major local media outlets through a press release.
In addition, covered entities must send a written notice in the mail to all impacted individuals and post information on the homepage of their website for at least 90 days. Specific requirements vary by state.
The penalties for HIPAA violations are divided into tiers based on the seriousness of the violation. Each level sets out criminal penalties, a fine, and a jail term, if applicable. HIPAA violation fines can be issued up to a maximum of $25,000 per violation category per calendar year. The minimum penalty is $100 per violation.
Health organizations are obligated to protect their patients’ PHI under HIPAA. You must apply a few safeguarding practices while collecting and processing data online.
- Establish a business associate agreement (BAA) with every platform you use for marketing, advertising, and analytics and every company you’ll share your clients’ PHI with that meets the definition of a “business associate.” If you are a health organization and choose to send PHI to a business associate, you must have a written BAA requiring the associate to comply with HIPAA standards. If you don’t want to create a business associate relationship with the vendor or the vendor will not provide a satisfactory BAA, you cannot disclose PHI to that vendor without individuals’ authorization.
- Provide breach notification to affected individuals, the Secretary, and the media (when applicable).
- Address the use of analytics and other data platforms in the covered entity’s risk analysis and risk management processes. Implement other administrative, physical, and technical safeguards following the Security Rule to protect PHI. These can include encrypting PHI transmitted to the analytics vendor and enabling and using appropriate authentication, access, encryption, and audit controls when accessing PHI maintained in the analytics platform infrastructure.
- Work with vendors that support values such as privacy by design. Following these values will help you fully control your data and understand what data you collect, store, and transfer.
- Alternatively, you can detangle PHI from its HIPAA protections for research purposes or marketing by removing all 18 elements of PHI. Once the data is impossible to trace back to one individual, it is no longer PHI and no longer has protection under HIPAA.
It’s important to think through both the legal aspect of data collection in terms of what legal agreements need to be in place with vendors to be in compliance with HIPAA, and the technical aspect of data collection – what data can be stored and where, as well as what data needs to be anonymized prior to storage.
VP, Data & Analytics at SPM Marketing & Communications
The obligations of healthcare companies that deal with PHI don’t stop there. HIPAA defines five major rules that all organizations (including online software) that store, record, or share PHI must follow. Read them here:
If you want to learn more about the requirements a reliable vendor for HIPAA-covered entities should provide, discover how Piwik PRO Analytics Suite ensures HIPAA compliance so that you can collect and analyze PHI and ePHI. This helps you provide your patients with an even better and more personalized experience while respecting the highest privacy and security safeguards.
Running marketing campaigns and collecting data in the context of PHI on popular platforms poses some compliance risks. These platforms weren’t built for such privacy-sensitive industries as healthcare.
Health organizations cannot disclose PHI to marketing and analytics platforms without the user’s authorization (for example, with their signature). They must ensure that they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule.
Even data collected from marketing pages and used in retargeting campaigns may constitute PHI. We have mentioned 18 types of data, including names, addresses, and medical records, but also user IDs and IPs often used to recognize visitors across channels. In most cases, using this information for marketing also requires the patient’s authorization and an advertising or analytics platform that allows PHI and provides enough data protection.
Most marketing and analytics platforms, including Google Analytics, forbid using PHI data in their products.
It means you must either make an extra effort to avoid passing any trace of PHI to your analytics, or switch to an analytics platform that will help you process patient data with the proper safeguards.
Read more about it here: Is your analytics project HIPAA-compliant? A handy checklist
Consider investing in a safe first-party data ecosystem to use PHI in a way that fully respects HIPAA. Combining data from multiple touchpoints, including your analytics, email marketing software, customer management platforms, and offline sources, opens up many possibilities when done with full respect for patient privacy. Such marketing activities are possible with trusted business partners ready to meet the requirements of HIPAA.
I highly recommend using server-side tagging on your website if you’re running digital marketing campaigns that send users to your site. Server-side tagging allows you to scrub PHI/PII from any user data ingested before sending that data back to the vendor.
VP, Data & Analytics at SPM Marketing & Communications
There are many different demands for compliant marketing and analytics under HIPAA, read more:
Understanding the scope of PII and PHI will help you to maintain HIPAA compliance and protect patient data, especially if you use third-party platforms like analytics. You will also be able to run compliant marketing activities.
To avoid the potential risks of using popular ad platforms or analytics tools in a highly regulated sector such as healthcare, consider employing marketing strategies that don’t involve big tech products. A first-party data strategy can benefit your organization and help you build a relationship with your patients grounded in trust.
If you’d like to learn more about data activation under HIPAA, contact us. We’ll be happy to present some compliant use cases to you.
- Is Google Analytics HIPAA-compliant?
- Is your analytics project HIPAA-compliant? A complete checklist with 32 questions
- Marketing and advertising in a privacy-first world
- First-party data: The future of digital marketing
- Server-side analytics tracking with first-party collector: What you need to know