What Is PII and PHI?
Personally identifiable information (PII) is any data that could potentially identify a specific individual. This includes information like first and last names, addresses, Social Security numbers, driver’s license numbers, birthdates, telephone numbers, email addresses, bank account details, credit numbers and scores, and passport information.
PHI, or protected health information, is a subset of PII that specifically relates to an individual’s health history and/or status. This includes things like medical records and insurance claims.
Following is an examination of both PII and PHI and an overview of the data privacy laws and regulations that exist in the U.S. as well as other select countries.
Data Privacy Laws to Protect PII
There are numerous data privacy laws in place to protect an individual’s PII. Over 80 countries currently have some form of data privacy law in place related to PII and/or PHI. Types of PII include the following:
- Telephone number
- Date of birth
- Passport, driver’s license, or other government-issued ID numbers
- Social Security number or equivalent government identifier
- Fingerprints or other biometric data
- Credit or debit card number
PII Data Privacy Compliance Regulations in the U.S.
In the U.S., no single law or regulation governs PII. There is a patchwork of federal and state laws, sector-specific compliance regulations, and other laws and standards that regulate the collection, use, processing, and disclosure of PII.
The Gramm-Leach-Bliley Act and PII
The Gramm-Leach-Bliley Act (GLBA) is a federal law that regulates how PII can be collected, used, and shared. GLBA was enacted in response to the growing concern about the threat to consumer privacy posed by the increased use of electronic media and data.
GLBA consists of three sections: 1) the Financial Privacy Rule that governs the collection and disclosure of financial information, 2) the Safeguards Rule that mandates financial institutions implement security protocols to protect collected information, and 3) the Pretexting Provisions that cover pretentious attempts to access sensitive information.
GLBA requires financial institutions to give customers an annual notice of privacy policies. It also gives customers the right to opt out of having their PII shared with third parties.
California Consumer Privacy Act and PII
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and it provides consumers with new rights to know what personal information is being collected about them, the right to have that information deleted, and the right to refuse the sale of their personal information.
The CCPA also imposes new obligations on businesses subject to the law, including disclosing what categories of personal information they collect and providing a way for consumers to request the deletion of their data. The CCPA was enacted to address rising incidents of data breaches in the technology, media, entertainment, and telecommunications sectors.
The Fair Credit Reporting Act and PII
The Fair Credit Reporting Act (FCRA) helps to ensure credit reporting agencies use accurate and fair information when making decisions about someone’s creditworthiness. This is important because inaccurate information could lead to unfair denial of credit or other opportunities. It also outlines how this information is used, shared, and accessed to limit any unlawful practices.
Consumer Data Protection Act in Virginia and PII
On March 2, 2021, Virginia passed its equivalent of the CCPA in the form of the Consumer Data Protection Act (CDPA). It establishes a framework for controlling and processing PII in the Commonwealth and applies to all persons who conduct business in the Commonwealth and either 1) control or process PII of at least 100,000 consumers or 2) derive over 50% of gross revenue from the sale of personal data and control or process PII of at least 25,000 consumers.
The bill grants consumers rights to access, correct, delete, and obtain a copy of PII and to opt out of the processing of PII for the purposes of targeted advertising, sale of PII, or profiling of the consumer. CDPA will go into effect on January 1, 2023.
PII Data Privacy Compliance Regulations in EMEA, Canada, and APJ
The most well-known data privacy law on the books is the General Data Protection Regulation (GDPR) in the European Union. But other compliance regulations related to data privacy exist in other locations, such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the UK’s Data Protection Act 2018 (DPA 2018).
GDPR and PII
The GDPR is a regulation of the European Union (EU) that came into effect on May 25, 2018. It strengthens EU data protection rules by giving individuals more control over their personal data, including the right to have their data erased and the right to object to its use. Under GDPR, organizations must take steps to protect user data from accidental or unauthorized access, destruction, alteration, or unauthorized use.
It sets strict rules about how personal data must be collected, used, and protected by organizations operating in the EU. The GDPR completely changed the way businesses must handle personal data.
This regulation applies to any company that processes or intends to process the data of individuals residing in the EU, regardless of whether that company is based inside or outside of Europe.
PIPEDA and PII
Since coming into effect in 2001, the Personal Information Protection and Electronic Documents Act (PIPEDA) regulates how organizations collect, use, and disclose the personal information of Canadians. PIPEDA applies to any organization that collects, uses, or discloses personal information in the course of commercial activities—meaning pretty much every business operating in Canada.
In 2018, PIPEDA was updated to better protect Canadians’ personal information.
Although PIPEDA applies to all organizations with a commercial presence in Canada, it does not apply to certain types of businesses, such as those regulated by provincial or territorial laws governing health information.
DPA 2018 and PII
The UK’s Data Protection Act 2018 (DPA 2018) establishes rules for how personal data must be collected, processed, and stored by organizations. The act applies to any organization that processes or intends to process the data of UK residents, regardless of whether the organization is based in the UK or not.
Assessing the Impact of PII Breaches
PII data continues to be very attractive to threat actors because they can use it for identity theft and fraud. Hundreds of millions of people are impacted by PII breaches every year. Businesses suffer loss of revenue, reputational damage, and regulatory penalties when they suffer an attack.
What Is PHI
In order for health data to be considered protected health information (PHI) and to be regulated by the Health Insurance Portability and Accountability Act (HIPAA), it must be 1) personally identifiable to the patient and 2) used or disclosed to a covered entity during the course of care. As such, while PHI is similar to PII and a subset, it is not precisely the same.
HIPAA Standards for Protecting PHI
When it comes to PHI, HIPAA was passed and enacted in 1996 with the purpose of setting strict standards for how PHI must be protected. HIPAA compliance details 18 different information identifiers for PHI that can be used to identify, contact, or locate the person. They are:
- Address (anything smaller than a state)
- Dates (except years) related to individuals, such as birthdate, admission date, etc.
- Phone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Vehicle identifiers, such as license plate numbers and serial numbers
- Device identifiers
- Web URL
- Internet Protocol (IP) addresses
- Biometric IDs such as fingerprints or voiceprints
- Full-face photographs and other photos of identifying characteristics
- Any other unique qualifying characteristic
The unauthorized release of PHI is a serious violation of HIPAA, which is why it’s important for covered entities (CEs) to take steps to secure sensitive patient data.
All businesses that deal with PHI must follow HIPAA. This includes keeping patient data confidential and ensuring that only authorized individuals can access it. Covered entities must have security measures in place to protect PHI. Covered entities include:
- Doctor’s offices, dental offices, clinics, psychologists
- Nursing homes, pharmacies, hospitals, or home health agencies
- Health plans, insurance companies, and health maintenance organizations (HMOs)
- Government programs that pay for healthcare
- Healthcare clearinghouses
Security measures these organizations must have in place to protect patient information include encryption, physical security, and access control systems.
HITECH for Protecting PHI
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act. The main goal of HITECH was to stimulate the adoption of health information technology (health IT) and exchange in order to improve healthcare quality and efficiency.
One way that it does so is by establishing requirements for the privacy and security of electronic health information. These requirements are designed to protect patients’ PHI from unauthorized access, use, or disclosure.
Relationship Between HIPAA and HITECH
Although the HIPAA Privacy Rule applies only to “Covered Entities” (health plans, healthcare clearinghouses, and healthcare providers who transmit any health information in electronic form) and their Business Associates, the HITECH Act requires the Department of Health and Human Services to adopt new sets of regulations.
One outcome is the Breach Notification Rule, which requires covered entities and their business associates to notify affected individuals and the Secretary of HHS in the event of a breach involving electronic protected health information (ePHI). The notification is to be issued without delay and no later than 60 days after the discovery of the breach. Both HITECH and HIPAA also require that protected health information (PHI) be encrypted in transit as well as when stored on devices and other media.
Assessing the Impact of Breached PHI and PII
The healthcare industry remains the most breached industry for 12 years running. The financial, reputational, and regulatory impact of a data breach runs into the millions of dollars and can have longstanding effects on the organization that was breached—not to mention the individuals whose PHI was breached.
Breaches of PII and PHI are a major concern for organizations. The impact of just one breach can tally into millions of dollars. For 2022, IBM and the Ponemon Institute, in their latest “Cost of a Data Breach Report,” found that the average cost of a data breach is $4.35 million. This doesn’t include the negative impact on a brand when the data breach is disclosed to the public.
The threat cybercriminals and rogue nation-states pose to healthcare and other institutions is significant, and policymakers and the healthcare industry continue to evolve regulatory compliance standards in an effort to bolster security protocols and capabilities to protect them from malicious attacks. And when it comes to PHI, this is certainly true. PHI records often garner the highest price on the dark web.
Organizations seeking to manage their cyber risk as it relates to PII and PHI can implement various cybersecurity principles to help mitigate risk. These need to be included as part of an organization’s cyber risk management strategy.
Assess what PII and PHI your business collects and stores
If you own or operate a business, it’s important to understand what PII and PHI are and how to protect them. This requires a comprehensive data classification approach. If your business collects and stores PII and PHI, the risk of a data breach is immense if you don’t have the right security and governance controls and tracking in place.
To assess what PII and PHI your business collects and stores, take a look at the type of information you collect from customers, partners, employees, and other individuals. See above for a list of PII and PHI.
Have strong security measures in place to protect PII and PHI
Here are some practical steps you can take to protect PII and PHI and reduce the chances of a breach occurring:
- Employ a defense-in-depth approach
- Use encryption for all data in motion and at rest
- Secure PII and PHI without getting in the way of users
- Define role-based permissions for internal and external (third-party) users
- Apply granular policy controls to protect data privacy
- Apply content risk policies consistently across all communication channels
Unify sensitive content communications onto one platform
The recommended security approach to protect PII and PHI is a platform that unifies and centralizes governance and protection of all data in motion and at rest. With most companies working with multiple third parties, a single platform ensures consistent policies and controls in every transaction and across siloed communication channels such as email, file sharing, managed file transfer, web forms, and application programming interfaces (APIs).
Train employees on best practices for handling PII and PHI
All businesses have PII that needs to be protected, and most have some PHI. Employee training is the key to keeping this information safe and ensuring compliance. Some recommended practices include:
- Only collect the minimum amount of PII and PHI necessary for business purposes.
- Keep PII and PHI secure by storing them in a password-protected and encrypted database.
- Use multi-factor authentication (MFA) to access PII and PHI, including for the systems used to send, share, receive, and store them.
- Never share PII or PHI without explicit consent from the individual involved.
- Make sure employees know how to spot phishing attempts and other cybersecurity threats through rigorous and ongoing security awareness training.
Limit the amount of PII collected to only what is necessary
While it is essential for businesses to collect some PII in order to provide services or goods, it is important to limit the amount of PII collected to only what is absolutely necessary.
Assess why your business needs certain types of PII and if there are any alternatives that would allow you to accomplish your goals without collecting sensitive information.
Protect stored PII with physical, technological, and organizational security measures
When it comes to protecting stored PII, organizations need to take a multilayered approach. This means physical, technological, and organizational security measures must all be in place in order to create a robust defense against data breaches.
PII must be encrypted in motion and at rest. Encryption should extend from the digital exchange of PII internally and externally to when it is stored on the recipient’s end system (e.g., email, file system, etc.).
Destroy or de-identify PII when it is no longer needed
One way to reduce PII cyber risk is to destroy or de-identify it once the PII is no longer needed. This ensures that the PII cannot be used for identity theft, fraud, or ransom. Additionally, businesses should have a data retention policy that outlines how long PII should be kept on file. By taking these precautions, businesses can help ensure PII is safe and secure.
Using a Private Content Network to Protect PII and PHI
The Kiteworks Private Content Network unifies sensitive content communications, which include PII and PHI, onto one platform. Centralized governance and security enables you to establish content risk policies that track and control who can access PII and PHI, who can modify the content, and to whom it can be sent. End-to-end encryption, automated controls, and a defense-in-depth security approach streamline the digital exchange of private information, including PII and PHI.
Schedule a custom-tailored demo of the Kiteworks Private Content Network to see how it keeps PII and PHI private and your organization compliant with data privacy regulations.
Get email updates with our latest blogs news