PHI and PII: How they impact HIPAA compliance and your marketing strategy

Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but doesn’t provide legal consultancy. If you’d like to make sure that you comply with HIPAA guidelines, we encourage you to consult an attorney.

Personally identifiable information (PII) and protected health information (PHI) may seem similar. However, there are critical distinctions between the two. While PII is a catch-all term for any information that can be associated with an individual, PHI applies specifically to HIPAA-covered entities dealing with identifiable patient information. 

Keeping HIPAA compliant and protecting patient information requires healthcare organizations to understand the differences between PII and PHI. Especially if they want to use such data to promote their services or improve the digital customer experience.

This blog post explains what differentiates PHI from PII and the key identifiers that change health information into PHI under HIPAA. You will also learn how your organization can protect PHI and run compliant marketing activities.

PII vs. PHI

PII Defined

PII stands for personally identifiable information, an American legal term for any information that identifies, links, or relates to a person, including:

• Full name
• Home address
• Email address
• Social security number
• Passport number
• Driver’s license number
• Credit card number
• Date of birth
• Telephone number
• Owned properties, e.g., vehicle identification number (VIN) 
• Login details
• Processor or device serial number
• Media access control (MAC)
• Internet Protocol (IP) address
• Device IDs
• Cookies

US government agencies and non-governmental organizations often reference PII. That said, the US lacks an overriding law covering PII in all 50 states, so your understanding of PII may differ depending on the state or sector you operate in. A common definition is provided by the National Institute of Standards and Technology (NIST):

PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Medical, educational, employment, and financial information all fall under PII. However, the line between PII and other kinds of information is vague. As the US General Services Administration stresses, the “definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified”.

What is PHI in healthcare?

Healthcare organizations deal with sensitive information concerning people’s health. In the US, safe parameters for using this kind of data in different contexts, including marketing, are set by the Health Insurance Portability and Accountability Act (HIPAA).

The definition of protected health information is broad. PHI and electronically protected health information (ePHI) mean any identifiable data about the patient, including name, address, date of birth, SSN, device identifiers, email addresses, biometrics, lab or imaging results, medical history, and payment information.

Thus, PHI is a subset of PII that refers explicitly to information processed by HIPAA-covered entities. When health information is combined with a personal identifier, the data becomes PHI.

The Department of Health and Human Services (HHS) lists the 18 HIPAA identifiers:

1. Name
2. All geographic subdivisions smaller than a state (street address, city, county, zip code)
3. Dates, including birthdate, admission date, discharge date, and date of death
4. Telephone number
5. Fax number
6. Email address
7. Social Security number
8. Medical record number
9. Health plan beneficiary numbers
10. Account number
11. Certificate/license number
12. Vehicle identifiers and serial numbers, including license plate number
13. Device identifiers and serial numbers
14. Web URL
15. IP address
16. Biometric identifiers, including fingerprints and voice
17. Full face photo
18. Any other unique identifying number, characteristic, or code

As a result, not all health information acquired by organizations constitutes PHI. For example, phone numbers and residential addresses alone are not PHI. But if this data is connected with details about a health condition, treatment plan, or other particular health information, it would transform from PII to PHI.

The requirements for processing PHI help protect patient privacy and allow making care coordination easier. The HIPAA Privacy Rule ensures that PHI is shared and used only with patient permission or for care coordination between covered entities. Identifiable health information is not considered PHI unless that organization is a HIPAA-covered entity.

PII and PHI penalties and compliance

Another area important in understanding PII and PHI is the penalties for non-compliance with applicable regulations. As PHI applies specifically to HIPAA-covered entities that possess identifiable health information, using the terms interchangeably can lead to compliance issues. PII and PHI penalties are primarily financial, but in severe cases they may also include incarceration.

PII

To help organizations manage and protect PII appropriately, the National Institute of Standards and Technology (NIST) created the “PII confidentiality impact level” standard, allowing entities to categorize PII into low, moderate, or high-risk levels. The levels are determined by evaluating the potential harm to individuals and the organization if the PII ends up in the wrong hands.

What is high-impact PII for some could be at a low impact level for others. Each organization will have different needs depending on the types of PII they are storing and the way it is organized. For example, Social Security Numbers are more sensitive than phone numbers and may be categorized at a high confidentiality impact level. In addition, a breach involving the information of 30 people will likely be less impactful than one involving 300,000 people.

When a PII breach occurs, businesses must report the incident. But data breach notification laws vary state by state. US lawmakers have introduced legislation requiring companies to notify the government within 24 hours of a data breach. Many states do not have strict deadlines when businesses report a violation to the government.

Deliberate, unauthorized disclosure of PII to others may result in incarceration and fines of up to $5,000.

PHI

The HIPAA Security Rule strictly regulates PHI breaches. It “establishes national standards to protect individuals’ electronic personal health information created, received, used, or maintained by a covered entity.”

PHI penalties are primarily financial and can be applied to healthcare providers, health plans, healthcare clearinghouses, and all other health organizations and business associates who have violated HIPAA rules.

In the case of PHI, HIPAA-covered entities that face a data breach are legally required to notify the HHS and state agencies within 60 days of the breach. If the breach impacts more than 500 residents of a state, organizations must notify major local media outlets through a press release.

In addition, covered entities must send a written notice in the mail to all impacted individuals and post information on the homepage of their website for at least 90 days. Specific requirements vary by state.

The penalties for HIPAA violations are divided into tiers based on the seriousness of the violation. Each level sets out criminal penalties, a fine, and a jail term, if applicable. HIPAA violation fines can be issued up to a maximum of $25,000 per violation category per calendar year. The minimum penalty is $100 per violation.

Safeguarding your organization’s and user’s online data

Health organizations are obligated to protect their patients’ PHI under HIPAA. You must apply a few safeguarding practices while collecting and processing data online.

1. Establish a business associate agreement (BAA) with every platform you use for marketing, advertising, and analytics and every company you’ll share your clients’ PHI with that meets the definition of a “business associate.” If you are a health organization and choose to send PHI to a business associate, you must have a written BAA requiring the associate to comply with HIPAA standards. If you don’t want to create a business associate relationship with the vendor or the vendor will not provide a satisfactory BAA, you cannot disclose PHI to that vendor without individuals’ authorization. 
2. Provide breach notification to affected individuals, the Secretary, and the media (when applicable).
3. Address the use of analytics and other data platforms in the covered entity’s risk analysis and risk management processes. Implement other administrative, physical, and technical safeguards following the Security Rule to protect PHI. These can include encrypting PHI transmitted to the analytics vendor and enabling and using appropriate authentication, access, encryption, and audit controls when accessing PHI maintained in the analytics platform infrastructure.
4. Work with vendors that support values such as privacy by design. Following these values will help you fully control your data and understand what data you collect, store, and transfer. 
5. Alternatively, you can detangle PHI from its HIPAA protections for research purposes or marketing by removing all 18 elements of PHI. Once the data is impossible to trace back to one individual, it is no longer PHI and no longer has protection under HIPAA.

The obligations of healthcare companies that deal with PHI don’t stop there. HIPAA defines five major rules that all organizations (including online software) that store, record, or share PHI must follow. Read them here:

• Privacy Rule
• Security Rule
• Enforcement Rule
• Breach Notification Rule
• Omnibus Rule

How to do compliant marketing under HIPAA

Running marketing campaigns and collecting data in the context of PHI on popular platforms poses some compliance risks. These platforms weren’t built for such privacy-sensitive industries as healthcare.

Health organizations cannot disclose PHI to marketing and analytics platforms without the user’s authorization (for example, with their signature). They must ensure that they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule.

Remember that health organizations may reveal the use of analytics or marketing tools in their website or app’s privacy policy and terms and conditions, but disclosing PHI to vendors cannot be based only on such notices. Covered entities must have a BAA with the vendor and an appropriate Privacy Rule permission before disclosing any PHI. You also need authorization to collect certain kinds of PHI, not only for sharing it with third parties.

Even data collected from marketing pages and used in retargeting campaigns may constitute PHI. We have mentioned 18 types of data, including names, addresses, and medical records, but also user IDs and IPs often used to recognize visitors across channels. In most cases, using this information for marketing also requires the patient’s authorization and an advertising or analytics platform that allows PHI and provides enough data protection.

Consider investing in a safe first-party data ecosystem to use PHI in a way that fully respects HIPAA. Combining data from multiple touchpoints, including your analytics, email marketing software, customer management platforms, and offline sources, opens up many possibilities when done with full respect for patient privacy. Such marketing activities are possible with trusted business partners ready to meet the requirements of HIPAA.

Final thoughts

Understanding the scope of PII and PHI will help you to maintain HIPAA compliance and protect patient data, especially if you use third-party platforms like analytics. You will also be able to run compliant marketing activities.

To avoid the potential risks of using popular ad platforms or analytics tools in a highly regulated sector such as healthcare, consider employing marketing strategies that don’t involve big tech products. A first-party data strategy can benefit your organization and help you build a relationship with your patients grounded in trust.

If you’d like to learn more about data activation under HIPAA, contact us. We’ll be happy to present some compliant use cases to you.