Key Points:

• PII (Personally Identifiable Information) includes data that can identify individuals. PHI (Protected Health Information) comprises healthcare-related data and falls under regulatory protection. PCI (Payment Card Industry) standards are a set of security requirements designed to safeguard the handling, processing, and storage of credit card information.
• Businesses have a duty to protect PII, PHI and PCI data, both ethically and legally. HIPAA regulations in the US protect healthcare data.
• Protect and secure PII, PHI , and PCI data, and reduce data retention by using robust data security tools like Metomic, that anonymise or encrypt data to prevent tracing it back to individuals.

Protecting customer data is no easy task, particularly in finance and healthcare organisations. 

With the frightening news that a third of hospitals have been hit by ransomware, lost money through phishing, and/or experienced theft of Protected Health Information (PHI), it’s clear to see that even the most established businesses can fall victim to cyberattacks.

Meanwhile, financial organisations handling credit card details must have safeguards in place for sensitive customer data, in line with Payment Card Industry (PCI) compliance requirements, to ensure it can't be accessed by unauthorised users. 

And both types of companies will also most likely be handling Personally Identifiable Information (PII), making it confusing for businesses to understand how each data type should be handled, and what the difference is between each one. 

In this article, we’ll be exploring PII, PHI, and PCI, and considering the differences and overlaps between them. 

What is PII? 

PII stands for Personally Identifiable Information and covers any form of data that you could identify someone by. It’s classed as sensitive data due to the fact that unauthorised users accessing this information could use it to the detriment of the identified individual. 

Protecting PII is imperative for organisations handling such data, as losing this information could lead to financial losses and reputational damage to the company. 

What are some examples of PII? 

PII could be a: 

- home address

- date of birth

- passport number.

You might assume that all data would be classed as PII but sometimes, information is far too vague. A zip code (or post code), for example, covers a wide area so it would be difficult to identify someone purely based on that. However, coupled with more data like somebody’s name, it would be easy to know who they are. Context is everything when it comes to PII.

PII Compliance 

If you are handling PII, there is a high likelihood that you’ll need to adhere to industry regulations such as GDPR or CPRA - both of which come with requirements to put security measures in place to protect PII. Without this protection in place, you may face business disruption, financial losses, as well as losing a competitive advantage over others in your field.

What is PHI? 

Protected Health Information, or PHI, is health information that can be traced back to an individual. PHI refers to any physical or mental conditions an individual may have (past, present, or future) as well as their medical history, and insurance details. 

PHI is technically a subset of PII. It becomes PHI when it includes details that are specific to someone’s health. 

Examples of PHI

PHI could include information on:

- medication

- medical history

- medical bills

Healthcare organisations in particular will be handling plenty of PHI on a daily basis, and will be governed by HIPAA regulations in the US.

PHI Compliance 

If you’re based in the US, and you process PHI, you will need to comply with HIPAA. It requires organisations to ensure that patient data and personal information such as names, phone numbers, email addresses, and social security numbers are protected. 

Non-compliance can lead to sanctions from professional boards, as well as fines of thousands of pounds, and even imprisonment. 

What does HIPAA class as PHI?

HIPAA covers the following 18 identifiers:

1. Names

2. Geographic subdivisions smaller than a state such as street address

3. Dates relating to an individual such as birth, death, admission date etc

4. Phone numbers

5. Fax numbers

6. Email addresses

7. Social security numbers

8. Medical record numbers

9. Health plan beneficiary numbers

10. Account numbers

11. Certificate or license numbers

12. Vehicle identifiers such as license plates

13. Device identifiers and serial numbers

14. Web URLs

15. IP addresses

16. Biometric identifiers such as fingerprints and voice prints

17. Full face photos

18. Any other identifying number, characteristic or code

What is PCI?

A little different to PII and PHI, PCI stands for Payment Card Information. It includes information related to credit and debit cards, as well as the names and addresses of cardholders. Financial organisations and anyone handling credit card information will need to comply with the Payment Card Industry Data Security Standard (PCI DSS) to ensure sensitive financial data is protected from unauthorised access. 

Read our guide to understand PCI DSS Compliance in more detail.

What are the key differences between PII vs PHI?  

PII can refer to any form of data whereas PHI will always be healthcare-related.

There may be a bit of crossover between the two because healthcare data can become PII when people are able to be identified by it.

Alternatively, data can move from PII to PHI. A patient’s address on its own would be PII but when it’s presented with information about their recent hospital admission, it would move into the category of PHI.

What are the key differences between PII vs PCI? 

The key differences between PII and PCI lie primarily with the nature of the information. While PII refers to data that can be used to identify an individual such as names, addresses, and email addresses, PCI refers to data related to payment cards like card numbers, and security codes. 

PII and PCI are treated differently when it comes to industry regulations too; PII is protected under laws like GDPR and CCPA, while organisations handling PCI must comply with PCI DSS in order to prevent unauthorised access or fraud. Whereas PII data breaches can lead to identity theft, PCI data breaches can lead to financial losses specifically as well as fraudulent transactions. 

While both require protection, they will need to be treated differently to ensure that you are complying with the relevant regulations. 

Why is it important to protect PII, PHI & PCI, and keep them secure?

As a business, you have a duty to protect your customers’ PII, PHI & PCI. But you also have a legal responsibility under regulations that protect the data of individuals.

Under the Health Insurance Portability and Accountability Act (HIPAA), individuals in the US are protected when it comes to their healthcare data (PHI).

According to the Department of Health & Human Services:

'a major goal of the Privacy Rule [within HIPAA] is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being.’

HIPAA applies to health plans, healthcare clearinghouses and any health care provider ‘who transmits health information in electronic form.’

Under GDPR and CCPA, you will need to protect PII in order to avoid hefty penalties, and ensure you’re being ethical towards your customers, giving them the protection they expect of an organisation. 

If you’re handling payment card information and aren’t complying with PCI DSS, you will not only face the financial and reputational ramifications of this, you may also lose your ability to do business since the major card providers who oversee PCI DSS can suspend your use of them. 

Protecting PCI data

Securing PCI data is also crucial for preventing fraud, maintaining customer trust, and complying with industry regulations. With any type of data breach or leak, there is the risk that you may incur financial losses or face legal action. Your reputation may also take a hit if customers don't think they can trust you.

It's vital that you have the right processes in place to secure data and ensure your organisation is prepared if an unfortunate incident were to occur.

What are the risks of not keeping PHI, PII & PCI secure?  could we offer more detailed information or examples about fines, etc. 

Being careless with sensitive information like PHI & PII can be bad for your customers and your business.

It not only violates your patients’ or customers' privacy and trust but it can lead to significant legal and financial consequences. PHI breaches, in particular, can result in hefty fines, damage to reputation, and even litigation, due to the sensitive nature of the information, which is protected in the US by HIPAA.

What can you do to keep PII, PHI & PCI protected?

There are a few ways you can secure sensitive data to reduce the risk to your patient confidentiality:

1. Reduce the amount of data you retain on your customers or patients by using a data security software like Metomic. You’ll be able to see where your data is stored and who has access to it, as well as being able to set automation rules to redact information immediately or after a set amount of time.

2. Make sure the data is unable to be traced back to one individual by anonymising or encrypting it.

3. Take a look at your access controls - what are you doing to restrict access to sensitive data?

4. Educate your team on the dangers of sharing sensitive data freely across SaaS apps by using employee notifications or regular training sessions to increase awareness.

What do you need to do if data is breached?

Firstly, you should take steps to contain the breach as much as possible, disconnecting the affected system as soon as you can. You’ll need to notify individuals who may have been impacted and also place a banner on your homepage for at least 90 days to make people aware of the breach. A breach impacting more than 500 people will also require you to notify major media outlets in the area.

If you’re in the US, you need to notify the Department of Health & Human services and any other regulatory agencies within 60 days of the breach taking place.

After the incident, you should take steps to review why it happened, and what your data security posture will be going forward to ensure it doesn’t happen again.

What’s the best way of keeping PHI, PII & PCI protected? 

Implementing a data security tool like Metomic is one of the best ways to protect PHI, PII, and PCI. 

With industry-leading accuracy, Metomic detects sensitive data and helps security teams put measures in place to redact or remediate any violations against your data security policy. This visibility over where sensitive data is stored, and the ability to reduce your attack surface with automated redaction and remediation enables teams to have more control over their SaaS, cloud and GenAI ecosystem. 

Take a virtual tour of our platform to learn how it all works. 

‍