PII vs PHI: Key Differences and Compliance Essentials

Updated: March 2026

For organisations operating at the intersection of data privacy and healthcare, the distinction between Personally Identifiable Information (PII) and Protected Health Information (PHI) is among the most consequential for compliance. 

Misclassifying data leads to the wrong regulatory standard being applied, leaving organisations exposed to enforcement under frameworks they did not realise applied to them. 

In recent years, HIPAA enforcement actions have resulted in settlements and large penalties, while GDPR enforcement continues to expand in scope and severity across jurisdictions. Understanding which framework applies, and how, is foundational.

What is Personally Identifiable Information (PII)?

PII is any information that can be used to directly or indirectly identify a specific living individual. It includes obvious identifiers like names and Social Security numbers, but also combinations of data points that together make a person identifiable, such as employer, location, date of birth, and physical description. There is no single universal definition of PII: different regulatory frameworks define it in slightly different ways.

The GDPR uses the term “personal data” rather than PII, but the concept is substantially the same: any information relating to an identified or identifiable natural person. GDPR Article 4(1) defines an identifiable person as one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, or online identifier.

Under the California Consumer Privacy Act (CCPA), “personal information” includes any information that identifies, relates to, or could reasonably be linked with a particular consumer or household.

The National Institute of Standards and Technology (NIST) defines PII in the US federal context as information that can be used to distinguish or trace an individual’s identity, either alone or in combination with other information.

Common examples of PII:

• Full name
• Email address
• Home or work address
• Phone number
• National Insurance number (UK), Social Security number (US)
• IP address
• Date of birth
• Biometric identifiers (fingerprints, facial recognition data)
• Device identifiers and cookies
• Location data

The key principle across all frameworks: Data that, on its own, does not identify someone may still constitute PII or personal data when combined with other available information. This is the “jigsaw effect” recognised by regulators globally: combining postcode, date of birth, and gender can identify a specific individual even without their name.

What is Protected Health Information (PHI)?

PHI is a specific subset of PII defined by the US Health Insurance Portability and Accountability Act (HIPAA). It covers individually identifiable health information created, received, maintained, or transmitted by a HIPAA-covered entity or its business associate. PHI includes any health-related data linked to one of 18 specific identifiers established by HIPAA’s Privacy Rule.

The Health Insurance Portability and Accountability Act 1996 (HIPAA) defines PHI in its Privacy Rule as any information, including demographic information, that relates to:

• An individual’s past, present, or future physical or mental health condition
• The provision of healthcare to the individual
• The past, present, or future payment for the provision of healthcare

PHI must be linked to at least one of HIPAA’s 18 specific identifiers to be protected under the Privacy Rule. These identifiers include:

1. Names
2. Geographic data (smaller than state level, including street address, city, ZIP code)
3. Dates (other than year) related to the individual, including birth date, admission date, discharge date
4. Phone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate and license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web URLs
15. IP addresses
16. Biometric identifiers (fingerprints, voiceprints)
17. Full-face photographs and comparable images
18. Any other unique identifying number, characteristic, or code

Electronic PHI (ePHI) is PHI that is created, stored, transmitted, or received electronically. The HIPAA Security Rule applies specifically to ePHI and mandates administrative, physical, and technical safeguards to protect it.

What is the key difference between PII and PHI?

The central difference is scope and context. PII is a broad category that encompasses any information that can identify an individual in any context. PHI is a narrower, US-specific category covering only health-related information held by covered entities (healthcare providers, health plans, and healthcare clearinghouses) or their business associates under HIPAA. All PHI is PII. Not all PII is PHI.

A person’s name and address are PII in any context. That same name and address, when linked to a medical record number or a diagnosis in a hospital’s database, becomes PHI subject to HIPAA’s stricter requirements.

The same information can be both PII under the GDPR and the CCPA and PHI under HIPAA when held by a covered healthcare entity.

Sensitivity levels differ accordingly. The GDPR treats health data as “special category data” under Article 9, requiring additional legal conditions beyond a standard lawful basis. HIPAA imposes its own separate regime of minimum necessary standards, notice of privacy practices, and individual rights.

Regulatory jurisdiction is the practical dividing line:

• PHI is governed by HIPAA in the United States, enforced by the US Department of Health and Human Services (HHS) Office for Civil Rights

• PII (personal data) is governed by the GDPR/UK GDPR in Europe and the UK, CCPA/CPRA in California, and various national equivalents worldwide

• An organisation can be subject to both simultaneously (for example, a UK-based health technology company serving US healthcare clients)

What regulations govern PII and PHI?

PHI in the US is governed by HIPAA and its implementing rules (the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule). PII is governed by a range of frameworks depending on the jurisdiction, including the GDPR and UK GDPR in Europe, the CCPA and CPRA in California, PIPEDA in Canada, and others. Multinational organisations must identify and comply with all applicable frameworks simultaneously.

HIPAA (United States)

The HIPAA Privacy Rule establishes national standards for protecting PHI held by covered entities. It limits uses and disclosures of PHI, requires covered entities to provide individuals with notice of their privacy practices, and gives individuals rights over their health information.

The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI.

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and (where more than 500 residents are affected) prominent media outlets following the discovery of a breach of unsecured PHI. Notification must occur within 60 days of discovering the breach.

GDPR and UK GDPR (Europe and UK)

Under GDPR Article 9, health data is a special category of personal data that requires additional legal justification for processing. Organisations cannot rely solely on a standard Article 6 lawful basis: they must also satisfy one of the conditions in Article 9(2), such as explicit consent, employment obligations, or vital interests.

GDPR fines for violations involving special category health data can reach €20 million or 4% of annual global turnover under Article 83(5), whichever is higher. Under UK GDPR, the equivalent maximum is £17.5 million or 4% of global turnover.

CCPA and CPRA (California)

The California Consumer Privacy Act and its successor, the California Privacy Rights Act (effective January 2023), give California consumers rights over their personal information, including health-related data. CCPA penalties reach $7,500 per intentional violation. The California Privacy Protection Agency (CPPA) has significant enforcement authority under CPRA.

What are the best practices for protecting both PII and PHI?

The foundational best practices for protecting PII and PHI overlap substantially: understand what data you hold and where it is, apply the principle of minimum necessary access, encrypt data at rest and in transit, implement strong access controls, train staff regularly, maintain documented incident response plans, and conduct regular risk assessments. For PHI specifically, HIPAA’s Technical Safeguards under the Security Rule prescribe additional controls.

Data inventory and classification

Before you can protect PII and PHI effectively, you must know where it is. Maintain a data inventory that maps each data type to its location, classification (general PII, special category, PHI), applicable regulation, retention period, and responsible business unit.

For PHI under HIPAA, the concept of “minimum necessary” applies to all uses and disclosures: covered entities must make reasonable efforts to limit access to PHI to the minimum necessary to accomplish the intended purpose.

Encryption

HIPAA’s Technical Safeguards require covered entities to implement mechanisms for encrypting and decrypting ePHI. Encryption is a HIPAA “addressable” implementation specification: organisations must implement it unless they can document why it is not reasonable or appropriate and implement an equivalent alternative. In practice, encryption is the standard.

Under GDPR Article 32, encryption is listed as an example of an appropriate technical measure to ensure a level of security appropriate to the risk. For special-category data, including health data, the ICO strongly recommends encryption as a baseline control.

Access controls

Role-based access control (RBAC) ensures that individuals can access only the PII or PHI required for their specific function. Both HIPAA and GDPR require organisations to implement procedures for granting access to ePHI and personal data, respectively.

Under HIPAA’s Security Rule, covered entities must implement “unique user identification” to track user activity in systems containing ePHI. Under GDPR, audit logs demonstrating who accessed personal data and when are a key element of accountability documentation.

Staff training

Both HIPAA and GDPR explicitly require training of staff who handle protected data. HIPAA requires covered entities to train all workforce members on policies and procedures as necessary and appropriate for them to carry out their functions. GDPR requires appropriate organisational measures, of which training is a central component.

Breach response

HIPAA requires notification to affected individuals and HHS within 60 days of discovering a breach of unsecured PHI. GDPR and UK GDPR require notification to the supervisory authority within 72 hours of becoming aware of a breach (where the breach is notifiable). Both frameworks require documentation of all breaches, whether or not they meet the notification threshold.

Frequently Asked Questions

Is a patient’s name alone considered PHI? It depends on context. A name alone is not PHI unless it is combined with health information or one of the other 17 HIPAA identifiers. However, within a healthcare provider’s records system, a patient’s name inherently relates to their status as a patient receiving care, which makes it PHI in that context.

Does GDPR apply to US healthcare organisations? GDPR applies to any organisation that processes the personal data of individuals located in the EU, regardless of where the organisation is based. A US healthcare provider that offers services to EU residents or monitors their behaviour must comply with GDPR for that data. UK GDPR applies equally to UK residents.

What is a HIPAA business associate, and do they need to comply with HIPAA? A business associate is any individual or organisation that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Business associates must enter into a Business Associate Agreement (BAA) with the covered entity and are directly subject to HIPAA’s Security Rule, Breach Notification Rule, and certain Privacy Rule provisions.

Can PII be de-identified to remove HIPAA obligations? Yes. HIPAA allows covered entities to de-identify PHI by either removing all 18 identifiers and ensuring no actual knowledge remains that the information could identify an individual, or by having a statistician certify that the risk of re-identification is very small. Properly de-identified data is no longer PHI and is not subject to HIPAA. However, the de-identification must be rigorous. Research has consistently shown that “de-identified” datasets can often be re-identified with access to additional data sources.

What is the difference between HIPAA Privacy Rule and Security Rule violations? Privacy Rule violations relate to improper use or disclosure of PHI, failure to provide patients with their rights, or failure to maintain required policies and notices. Security Rule violations involve failures in administrative, physical, or technical safeguards protecting ePHI, including inadequate access controls, missing risk assessments, or insufficient encryption.

Are mobile health (mHealth) apps subject to HIPAA? HIPAA applies to covered entities and their business associates. A mobile health app developed by, or integrated with, a covered entity (such as a hospital or health insurer) is likely subject to HIPAA. Apps sold directly to consumers who are not contracted with covered entities are generally not HIPAA-covered, though they may be subject to FTC regulations and, depending on jurisdiction, the GDPR or the CCPA.

What breach notification obligations apply under both HIPAA and GDPR if a breach affects both US and EU individuals? Organisations must comply with both notification regimes simultaneously. Under GDPR, the supervisory authority must be notified within 72 hours. Under HIPAA, affected individuals and HHS must be notified within 60 days. The GDPR also requires notification to affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms. The two frameworks have different timelines and different notification requirements: organisations must track and fulfil both.

For advice on cross-jurisdictional compliance, contact our GDPRLocal team.