PHI vs PII: Key differences in data privacy and compliance

Last Update Date: January 28, 2026

Summarize with:

The past few years have seen a surge in new data protection laws, and the data classifications of PHI vs PII are critical compliance components for healthcare and other industries.

The distinction between protected health information (PHI) and personally identifiable information (PII) is important for understanding how to handle data legally and ethically under relevant regulations — like the Health Insurance Portability and Accountability Act (HIPAA) for PHI in the U.S. and the General Data Protection Regulation (GDPR) in the E.U.

Keep reading to learn more about the differences between PHI and PII, how they affect data handling and compliance needs, and some everyday examples.

What is PII?

PII, or personally identifiable information, is any information that can be used to identify an individual, whether it’s data on its own or combined with other information to pinpoint a particular person.

Common PII examples

The scope of PII is broad and includes

Direct identifiers, such as passports, Social Security numbers, and driver’s licenses
Indirect identifiers, such as birth date and place of birth
Linked information that can be used to identify someone when combined with other information (e.g., combining someone’s IP address with a direct identifier)
Sensitive PII, which includes PHI, financial information, religious affiliation, and more

Most businesses and organizations collect PII, so any entity collecting data from users, patients, or clients must understand its responsibilities. Typical collection points include websites, apps, HR systems, and intake forms.

Regulatory frameworks that protect PII

While the HIPAA specifically targets health data, a wider array of global regulatory frameworks protects general PII across all sectors. The GDPR in the European Union is considered the global gold standard, giving people significant control over their personal data and setting strict requirements for data processors worldwide.

In the United States, state-specific laws such as the California Consumer Privacy Act (CCPA), the New York Privacy Act, and Virginia’s Consumer Data Protection Act — along with sector-specific regulations and country-level mandates — establish the rules for data collection, processing, security, and consumer rights.

Comprehensive compliance is necessary for any business that handles PII. If you do business or have employees across borders, more than one regulation may apply.

Pro Tip

Whether patients are getting care exclusively online or just want to save time by filling out forms digitally, Jotform’s HIPAA-friendly forms, including forms for WordPress, can help you keep PII protected.

What is PHI?

PHI, or protected health information, is a subset of PII that’s specifically connected to healthcare data. This includes any health information that can identify a person and is held or sent to others by either a covered entity or one of its business associates. The information can be digital, written, or shared verbally.

What qualifies as PHI under HIPAA?

HIPAA is very particular about what qualifies as PHI. Essentially, any information about an individual’s health status, the care they receive, or the payment for that care becomes PHI if it can be used to identify them. HIPAA provides a list of specific identifiers that, when linked to health data like a diagnosis or a lab result, automatically trigger the strictest protection rules.

So, a diagnosis of a concussion by itself is just health information, but once paired with an identifier (“Jane Doe presented with a concussion on December 12, 2025”), it becomes PHI.

If you handle patient treatment details, billing information, or appointment scheduling logs, and any identifiable detail is attached, you’re dealing with PHI.

Examples of PHI

HIPAA provides 18 identifiers of PHI, which include

Identifying information: This can be names or initials of patients, their relatives, or their employer, as well as
- Geographic subdivisions smaller than a state (including addresses and ZIP codes)
- All dates directly related to the individual, such as birth date, admission date, date of death, or date of discharge (the year on its own is not considered identifying information)
- Age if over 89, due to a much smaller population over that age
Contact information: Email addresses, telephone numbers, and fax numbers
Unique numbers and codes: Any numbers or codes unique to an individual, such as a Social Security number, health plan beneficiary number, or account number
Technical and biometric identifiers: Including license plate numbers, fingerprints, serial numbers, and IP addresses
Visual and other unique data: Facial or other identifying images, characteristics, codes, identification numbers, or any other data points not explicitly listed that could be used to identify a person

Who handles PHI?

The protection of PHI is the core responsibility of two main groups under HIPAA: covered entities (CEs) and business associates (BAs).

Covered entities are the main players in the healthcare industry. These include healthcare providers, insurance companies, and healthcare clearinghouses. Each transmits health data electronically, directly, or through a business associate.

A business associate is any third-party company that performs a service for a covered entity that involves creating, receiving, maintaining, or transmitting PHI. This can range from IT vendors, cloud storage providers, and medical billing companies to external lawyers and accountants. BAs must sign a legally binding Business Associate Agreement (BAA) with the CE, which explicitly requires them to apply HIPAA privacy and security rules to the PHI they handle.

HIPAA requirements for PHI protection

HIPAA aims to protect the confidentiality, integrity, and availability of PHI. Part of this involves requiring any organization handling PHI to put safeguards in place, including physical (locked doors and access control), administrative (policies and procedures), and technical (encryption and role-based controls). While there’s a long list of regulations, strict control over access to and use of data is at the heart.

Key HIPAA compliance requirements for PHI protection include

Security management processes: CEs and BAs must regularly audit and identify possible PHI risks. They must have security practices in place to reduce those risks.
Minimum necessary rule: PHI should only be used or disclosed to the minimum extent necessary for people to do their jobs. For example, a billing clerk should only see billing data, not clinical notes.
Access controls: Systems must have technical security measures in place so only authorized users can access electronic PHI (ePHI).
Encryption of ePHI: While HIPAA doesn’t technically force you to use encryption, it does set a high bar for how you protect digital health data — whether it’s sitting on your server (at rest) or being sent in an email (in transit). The law sees encryption as an “addressable” standard, which means you have three choices: use encryption, find an alternative that’s just as effective, or have documented proof of why you don’t need it. If you lose a laptop where the data is encrypted, it wouldn’t be considered a breach, but if you lose an unencrypted laptop, you will be legally required to report a data breach for unsecured PHI.
Workforce training and sanctions: Organizations must train all employees on HIPAA policies and implement a sanction policy for those who violate privacy or security rules.
BAAs: These are a legally required contract that ensures any third-party BA handling PHI is also compliant with HIPAA.
Physical safeguards: Procedures must be in place to secure physical facilities and equipment that store PHI.

Many organizations find that, in practice, they collect PHI and non-sensitive, regular data at the same time. Jotform’s HIPAA-friendly features allow you the flexibility to collect mixed data on the same form, with set PHI features to aid compliance.

PHI vs PII: Core differences

In short, all PHI is PII, but not all PII is PHI. You can think of PII as the broad, overarching category that encompasses all details that can identify a specific person. PHI is a specialized, smaller category of data specifically including health data and protected by HIPAA.

When PII becomes PHI

Under HIPAA, three conditions must be met for PII to become PHI:

The data must be individually identifiable.
The data must relate to health, treatment, or payment.
The data is handled by either a covered entity or its business associate.

For example, if your name and email address are used for a generic fitness app for logging steps, it’s PII not PHI. But when your name and email address are entered on a health insurance claim form, that’s PHI.

Main differences in scope, regulation, and data sensitivity

While both PHI and PII are categories of sensitive personal data, their main distinctions lie in how broadly the information applies, the specific laws governing their use, and the level of security they demand. Those main differences are:

Scope: PHI is narrowly focused on the healthcare industry and information related to an individual’s health, treatment, or payment. PII is a broad category applying to any data point that can identify a person across all industries.
Regulation: PHI is primarily governed by HIPAA in the U.S. PII is governed by a range of laws depending on geography and industry, including GDPR (E.U.), CCPA (California), and several industry-specific statutes.
Data sensitivity: PHI is classified as highly sensitive due to the deeply private nature of health information and therefore requires the strictest safeguards. PII covers a range of sensitivity levels — for example, while identifiers like Social Security numbers are highly sensitive, others, like an email address, may be considered less sensitive depending on the context.

Areas of overlap between PHI and PII

Because PHI is a subset of PII, there is some overlap — specifically in the personal identifiers that HIPAA lists. Identifiers like your name and date of birth are PII in any context, but they become PHI when linked with health data.

Here’s an example comparison:

	PHI	PII
Data type	Health-specific identifying data: Information about an individual’s health, treatment, or payment	General identifying data: Information that can be used to identify, contact, or locate an individual
Example	A patient’s name linked to their diagnosis code, medical record number, or appointment date	Full name, home address, Social Security number, email address, or driver’s license number
Regulatory law	Primarily HIPAA in the U.S.	GDPR (E.U.), CCPA/CPRA (California), various state data breach notification laws, and other sector-specific laws
Who must comply?	HIPAA covered entities (hospitals, health plans, etc.) and their business associates (vendors handling PHI)	Any organization that collects, processes, or stores consumer data, depending on the jurisdiction and type of data handled

Real-world examples of PHI and PII

To fully grasp the difference between these two data categories, it helps to see how they appear in everyday settings. While PII is the standard currency for identification across commerce, banking, and social media, PHI is exclusively generated within the healthcare ecosystem. The same identifying detail — like your name — can shift from simple PII on a retail website to PHI the moment it’s logged in a hospital’s system with your current diagnosis.

PII examples outside healthcare

Here are some typical PII examples outside a healthcare setting:

Marketing data gathered by a business, such as your name and email address
User accounts that collect multiple PII data points, including direct identifiers, contact information, and authentication data
Financial institution data, such as bank account numbers, Social Security numbers, and credit report data
Retail data, such as shipping addresses, phone numbers, and purchase history information
Employment data, such as payroll and tax forms, work authorization status, and driver’s license information

PHI examples within healthcare and insurance

Here are some typical PHI examples within healthcare and insurance:

Electronic health records, which contain a patient’s entire health history and identifying data
Lab or imaging results, particularly when labeled with identifying information
Doctor’s notes, whether handwritten or recorded electronically
Appointment scheduling information, particularly where it links the patient’s name with the reason for their visit
Insurance claim forms and prior authorizations, as they give medical details along with identifying data

How organizations misclassify data

Getting data classification right is the first step. It tells organizations how they’re legally supposed to handle and protect that information. However, misclassifications, which can lead to the exposure of sensitive information, happen more often than you may think. One Metomic report found that 25 percent of publicly shared files in healthcare organizations contain PII.

Common misclassification issues include

Ignoring a healthcare link to PII: An email address is standard PII in an e-commerce newsletter, but it becomes PHI as part of a patient record in a hospital.
Assuming all health-related information is PHI: Data collected by a general wellness app, for example, is usually PII and governed by laws such as GDPR, not HIPAA. The app would only fall under HIPAA if it acted as a business associate for a covered entity.
Inadequate data management: Without robust data inventory and tracking systems, organizations may not have good visibility over their data, making it difficult to apply the correct rules.
Misunderstanding or misusing de-identification standards: Under HIPAA, PHI can be anonymized by following strict practices to remove all 18 potential identifiers. Any mistake in that process can result in re-identification.

Real cases of compliance failures

There have been many cases of HIPAA violations or noncompliance with data protection standards, including some that resulted in significant breaches of sensitive information. Some examples include the following:

Anthem was part of one of the biggest data breaches in history in 2015, when a phishing scam led to the breach of millions of policyholders’ personal details.
South Florida Memorial Healthcare System employees illegally accessed around 115,000 patient records with the intent to sell them. Subsequent investigations found that the Memorial Healthcare System failed to monitor and review access policies, leading to the breach.
University of Mississippi Medical Center first drew attention when an unencrypted laptop was stolen, but subsequent investigations found that they lacked multiple necessary data protection protocols, including the use of unique user credentials to track system access.

Best practices for protecting PHI and PII

Protecting both PHI and PII requires a comprehensive approach rooted in four key principles:

Minimizing data collection
Implementing encryption and pseudonymization
Monitoring data access and usage
Consistently training staff on security policies

If your organization can nail these four principles, you can significantly reduce the risk of noncompliance.

Data encryption and anonymization methods

Encryption is the gold standard for protecting data, particularly ePHI, both when it’s stored and in transit. Strong, certified encryption methods like AES-256 make data unreadable to unauthorized people or computer systems, effectively creating a “safe harbor” under HIPAA in case a device is lost or stolen.

Anonymization goes a step further by permanently removing all identifiers, making it impossible to link the data back to an individual. Pseudonymization (a key feature of GDPR) is a closely related method, replacing direct identifiers with substitutes or codes. For example, your name might be switched out for “Patient A.” This allows the data to be used for research or analysis without giving away information that could identify you.

Secure access management and audit controls

Effective data protection starts with controlling who can access sensitive information. Secure access management relies on least privilege, meaning employees are only given the minimum access necessary to perform their job duties. For example, a front-desk receptionist doesn’t need to access a patient’s lab test results — only the information needed to schedule an appointment.

Organizations should enforce access management through user authentication and strict access controls. Audit controls are also vital, requiring organizations to track and log all access to and updates made to PHI and PII. The audit trail should quickly alert IT to any potential breaches.

Employee training and data governance

Human error is a leading cause of data breaches, making regular employee training a key security control. All employees who handle PII or PHI must undergo recurring training on security policies, breach procedures, and the differences between data types.

Strong data governance policies should reinforce this training. These establish clear roles, responsibilities, and standards for data handling throughout its entire lifecycle. A robust framework keeps everyone in the organization accountable and maintains a culture of data privacy.

Regular compliance audits

Regular internal and external audits are necessary tools for validating and improving an organization’s data governance. Your audits should help

Uncover security gaps.
Verify documented security measures.
Maintain the readiness of the organization.
Proactively fix any issues that could lead to fines.

Building a privacy-first data strategy

A privacy-first approach to data strategy where PHI vs PII are clearly understood and treated appropriately is vital for any data-handling organization. In the end, it’s about maintaining compliance and trust. Sure, you want to avoid penalties for breaches, but damaging public trust can prove to be far more costly in the long term.

To avoid both, businesses and organizations can implement proactive data protection measures, such as secure access management, encryption, and other best practices. As a foundation, understanding that PHI is a subset of PII and is subject to HIPAA standards is key.

Technology also plays an important role in enabling organizations to sustainably manage data and fulfill their privacy obligations. Tools that automate the process can help reduce human error and the time devoted to compliance.

Jotform is packed with features that help organizations collect and correctly handle PHI and PII. See how Jotform’s HIPAA-friendly form features can help you manage sensitive patient data effectively.

This post offers readers a convenient source of general information on PII and PHI. Consult with your attorney for any questions specific to your own organization’s compliance with PII or PHI regulations.

Was this article helpful?

Yes

We're sorry to hear that. What problem did you have with the article?

How can we improve this article?

What did you like best about this article?

AUTHOR

Katie Joll

Katie Joll is a content marketing strategist, copywriter, and photographer with almost 15 years of writing and project experience across a broad range of topics. A proud New Zealander, Katie is based in beautiful South Lake Tahoe and enjoys outdoor adventures, travel, and a good book during her downtime.

RECOMMENDED ARTICLES

What Is HIPAA Compliance?

Creating newsletters for your health and fitness business

The best remote access software tools that help with HIPAA compliance

What is an encounter form?

HIPAA vs FERPA: The difference between two acts

How to be HIPAA-friendly on social media

SimplePractice: Plans, pricing, and alternatives

How to improve patient outreach

How to evaluate HCAHPS surveys with star ratings

How to make things easier for your intake coordinator

8 of the best WordPress plug-ins for health coaches in 2026

How to remind patients of appointments

Exploring AxisCare’s pricing and value for home care management

How to facilitate a group therapy session online

Does HIPAA apply to schools and educational institutions?

Set up contactless COVID-19 screening in two simple steps

Top 7 Power Diary alternatives in 2026

6 best hosting services to enable HIPAA compliance for 2026

Top 5 medical survey portals to earn extra money in 2026

Best HIPAA-friendly survey tool: Jotform

How to improve your patient intake process in 3 steps

11 best apps for managing medical records in 2026

10 Caspio alternatives in 2026

10 best healthcare compliance software solutions for 2026

How Dr. Miami uses Jotform to collect patient information

File sharing services that help with HIPAA compliance

HIPAA-friendly online forms instead of sign-in sheets

The 10 best cloud storage solutions that help with HIPAA compliance in 2026

How to improve your patient onboarding process

AdvancedMD vs CareCloud

How to collect patient-reported outcomes with online forms

The best electronic health record software

Healthcare white paper: Online forms

What is protected health information (PHI)?

How can HIPAA waivers help your medical institution?

4 ways of protecting patient privacy

Does Dropbox enable HIPAA compliance?

What is doctor-patient privilege?

How long should healthcare providers keep medical records?

7 of the best WordPress plug-ins for doctors in 2026

CareCloud vs Athenahealth: Refreshing your medical software stack

15 best video conferencing tools that help with HIPAA compliance in 2026

6 secure healthcare messaging apps in 2026

An overview of ClinicSense’s pricing, features and more

Lighthouse 360 vs Solutionreach

Does OneDrive enable HIPAA compliance?

Use the best fax services that help with HIPAA compliance

What is personally identifiable information (PII) under HIPAA?

How to design a HIPAA-friendly website

What is an incidental disclosure in HIPAA?

What are the consequences of a HIPAA violation?

What is the HIPAA Omnibus Rule?

What makes e-signatures HIPAA-friendly?

How to create an intake form in Word

How to maintain HIPAA compliance in a remote work environment

Announcing the new Jotform Health app

Best email providers to enable HIPAA compliance for small practices

How does HIPAA fit into medical ethics?

Patient confidentiality laws your practice needs to know

The basics of writing an informative SOAP note

Best free HIPAA training materials for 2026

7 times you need to use a HIPAA medical records release form

Streamlining healthcare data management and collection

How much does Updox cost? Pricing and alternatives for 2026

6 ways to improve patient communication

Healthie: A comprehensive review of pricing and features

How to create electronic CRFs

5 patient data-collection best practices

Payment processing that helps with HIPAA compliance for medical services

How can you prevent medical identity theft

How to organize your vaccine distribution with Jotform

How to refer a patient to another doctor

How to do a head to toe assessment

7 ways to improve hospital workflows

Mobile apps that help with HIPAA compliance

Webinar: 3 ways to digitally transform your healthcare practice

Webinar: How to manage COVID-19 vaccine distribution with Jotform

Pros and cons of HIPAA: key benefits and hidden drawbacks

Improving care coordination while enabling HIPAA compliance

HIPAA-friendly online intake forms: 8 ways to keep your forms secure

The insider threat to HIPAA compliance: Data breach

5 best billing software tools for doctors in 2026

5 popular patient satisfaction surveys

How to make your massage intake forms HIPAA-friendly and clear

How to become a holistic health coach

EMR vs EHR: What’s the difference?

How to get physician referrals to your medical practice

Acuity Scheduling vs SimplePractice: Which is best?

The essential guide to WebPT: Revolutionizing physical therapy management

App development that helps with HIPAA compliance

How to improve the counseling intake and assessment process

What is doctor-patient confidentiality and how will it affect your practice?

Which institutions are HIPAA covered entities?

Best medical spa software

The 5 most common HIPAA-compliance mistakes and how to overcome them

A look at our Coronavirus Responder Program

Top 5 intakeQ alternatives for 2026

The best clinical documentation improvement software

Does HIPAA apply to employers? HIPAA in the workplace

10 best HIPAAtizer alternatives in 2026

Send Comment:

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Be the first to comment.