ePHI vs. PII: What’s the Difference?

HIPAA defines very specific ways that organizations can store, process, and access patient information. If you’re trying to understand HIPAA requirements, you might come across the acronyms ePHI (Electronic Protected Health Information) and PII (Personally Identifiable Information).

While these terms can sometimes be used interchangeably, they’re not the same. ePHI and PII are similar, but their differences can impact HIPAA compliance. Learn how PII works, what ePHI is, and the biggest differences between the two.

How PII Works

Personally Identifiable Information, or PII, is an umbrella term for any piece of sensitive information you can use to identify a specific person. However, PII isn’t a HIPAA-specific term: it can apply to any industry.

Plenty of data counts as PII, including:

  • Educational information
  • Financial information
  • Employment history
  • Email addresses
  • Photos
  • Mother’s maiden name
  • Credit card information
  • Social media data
  • Phone book listings
  • Public website listings

The good news is that, depending on your industry, PII usually has fewer regulations than ePHI. However, if you’re in the healthcare industry, you should assume that all PII you own or manage is actually ePHI and subject to HIPAA compliance requirements.

The Definition of ePHI

Electronic Protected Health Information, or ePHI, is a type of PII that’s highly regulated. If HIPAA considers you a covered entity or a business associate of a covered entity, all of the PII you own is probably ePHI.

Protected Health Information (PHI) is personal health information that’s stored in non-digital ways, like printed files. ePHI is the digital version of the data. No matter how your organization stores this information (in the cloud, on premise, etc.), HIPAA requires that you keep it under lock and key. ePHI must have administrative, technical, and physical safeguards in place to protect it.

At the same time, in today’s information-sharing age clinicians need to be able to share and access ePHI easily to inform healthcare decisions, improve patient outcomes, boost productivity, and improve patient safety and satisfaction. This creates competing interests — sharing and securing ePHI — that must be carefully balanced.

HIPAA added the Privacy Rule in 2002, which clarified what types of data count as protected health information, such as:

  • Name
  • Address
  • Dates related to treatment or to the individual, such as date of birth, date of death, or date of surgery
  • Phone or fax number
  • Email address
  • Social security number
  • Record numbers
  • Account numbers
  • Health insurance numbers
  • License numbers, like driver’s license
  • Vehicle license plate or VIN
  • Serial numbers
  • Website URLs
  • IP addresses
  • Facial photographs
  • Biometrics

This also includes information related to treatment, like medical records, lab results, and x-rays. You’re only allowed to release this information to your patients in a secure, encrypted environment.

The only time a provider can use patient data without patient permission is if they remove all identifying information from the data and aggregate it. It should be impossible to use the data to trace information back to a single individual.

The Biggest Differences Between ePHI and PII

How, exactly, are these two types of data different?

It isn’t always clear-cut, and it’s important to look at the differences on a situational basis. In many cases, ePHI is also PII. However, PII and ePHI differ in three big ways.

1. Industry

If you’re a covered entity or a business associate under HIPAA, all of your PII is likely ePHI. PII is a generic umbrella term for any type of identifying data — it applies to any industry, while ePHI refers specifically to sensitive data for health-related companies.

2. HIPAA Regulation

PII isn’t necessarily covered by HIPAA, while HIPAA governs all ePHI. However, if your PII includes or is linked with healthcare information, you must follow HIPAA guidelines.

ePHI has very strict rules for how organizations can access and use patient data — and stiff penalties if you fail to protect this information. PII, on the other hand, often doesn’t have to follow HIPAA guidelines.

3. Legal Requirements

HIPAA introduced strict legal requirements for ePHI. For example, there are requirements for breach reporting, auditing, training, documentation, and much more. Covered entities have to meet these requirements every year or risk penalties and fines.

Since PII doesn’t have to follow HIPAA, it’s generally up to the organization to handle data privacy, training, and breach notifications. Organizations need to follow local, state, and national laws, but these are usually much less stringent than HIPAA. However, new breach reporting laws do require organizations to report data breaches to the government within 24 hours, so PII is becoming increasingly regulated.

Know Whether You Have ePHI or PII

Whether you have ePHI or PII, the good news is that cybersecurity best practices will help you protect both. The first step to protecting your sensitive information is to know what you have, where it is, and how you’re securing it — in other words, you need situational ePHI awareness.

Tausight is a situational ePHI awareness platform designed specifically for the healthcare environment. Using Tausight’s innovative platform, you can identify sensitive information across your organization so that you can adequately protect it and comply with regulations, whether you’re a small clinic or a sprawling hospital.

Contact Tausight today to learn more about situational ePHI awareness and how it can help you reduce ePHI risk, ensure continued cyber preparedness, and recover faster in the event of a breach.

profile photo of David Ting

David Ting

Founder and CTO, Tausight

Related Articles