The Short Answer
PII (Personally Identifiable Information) is any data that can identify a specific individual. Names, Social Security numbers, email addresses, phone numbers — all PII. It's a broad category governed by multiple laws including GDPR, CCPA, FOIA, and FERPA.
PHI (Protected Health Information) is a specific subset of PII that relates to an individual's health and is held by a HIPAA-covered entity. A patient's diagnosis, treatment plan, prescription, or lab result — when linked to identifying information — is PHI. It's governed specifically by HIPAA.
The relationship: All PHI is PII, but not all PII is PHI. A person's name is PII. That same name on a medical record held by a hospital is both PII and PHI. That name on a bank statement is PII but not PHI.
PHI vs PII Comparison
| PII | PHI | |
|---|---|---|
| Full Name | Personally Identifiable Information | Protected Health Information |
| Governed By | GDPR, CCPA, FOIA, FERPA, FTC Act, state laws | HIPAA (Privacy Rule, Security Rule, Breach Notification Rule) |
| Scope | Any data identifying an individual, in any context | Health-related data linked to an individual, held by a covered entity |
| Who Must Comply | Virtually all organizations handling personal data | Healthcare providers, health plans, clearinghouses, and their business associates |
| Penalties | Varies: GDPR up to €20M or 4% revenue; CCPA up to $7,500 per violation | $100–$50,000 per violation, up to $1.5M per category per year; criminal penalties possible |
| Examples | Name, SSN, address, email, phone, DOB, driver's license, financial accounts | Medical records, diagnoses, prescriptions, lab results, insurance claims, treatment plans — when linked to identifiers |
| De-identification Method | Remove or redact identifying elements per applicable regulation | HIPAA Safe Harbor (remove 18 identifiers) or Expert Determination method |
What Counts as PII?
PII is broadly defined as any information that can be used to identify, contact, or locate a specific individual, either alone or combined with other data. There is no single universal PII definition — it varies by regulation — but common categories include:
- Direct identifiers (alone identify someone): Full name, Social Security number, passport number, driver's license number, biometric data (fingerprints, face scans)
- Quasi-identifiers (identify when combined): Date of birth, zip code, gender, race, job title, education history
- Digital identifiers: Email address, IP address, device IDs, login credentials, cookies, browsing history
- Financial identifiers: Bank account numbers, credit card numbers, tax records
The threshold for what constitutes PII has expanded over time. Under GDPR, even an IP address or a cookie ID is personal data. Under CCPA, household-level data and inferences drawn from other data qualify as personal information.
What Counts as PHI?
PHI has a more specific definition under HIPAA. For data to qualify as PHI, it must meet all three conditions:
- It relates to health: The data concerns an individual's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare.
- It identifies an individual: The data includes one or more of HIPAA's 18 identifiers (or there is a reasonable basis to believe it could identify someone).
- It's held by a covered entity or business associate: The data is created, received, maintained, or transmitted by a healthcare provider, health plan, healthcare clearinghouse, or their business associate.
Important nuance: The same data can be PHI or not depending on context. Your blood type in your hospital's medical record is PHI. Your blood type in a note on your personal phone is not PHI — because your phone is not a covered entity. Context determines classification.
HIPAA's 18 Identifiers
When HIPAA requires de-identification of PHI, the Safe Harbor method requires removal of these 18 specific identifiers:
- Names
- Geographic data smaller than a state
- All dates (except year) directly related to an individual
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographs and comparable images
- Any other unique identifying number, characteristic, or code
If all 18 identifiers are removed and the covered entity has no actual knowledge that the remaining information could identify an individual, the data is considered de-identified under HIPAA and is no longer PHI.
Where PHI and PII Overlap
In practice, most documents in healthcare settings contain both PHI and PII simultaneously. A patient intake form has the patient's name (PII), their address (PII), their insurance number (PII and PHI), their diagnosis (PHI), and their treatment plan (PHI). All of it requires protection, but under different regulatory frameworks.
This overlap creates a practical challenge: you can't just comply with HIPAA and ignore PII requirements, or vice versa. A healthcare organization processing data about California residents needs to comply with both HIPAA and CCPA. A hospital responding to a FOIA request needs to consider both FOIA exemptions and HIPAA protections.
What Is ePHI?
ePHI (Electronic Protected Health Information) is PHI that exists in electronic form — created, stored, transmitted, or received digitally. This includes electronic medical records, digital prescriptions, lab results in patient portals, health data in emails, and insurance claims submitted electronically.
HIPAA's Security Rule applies specifically to ePHI and requires covered entities to implement administrative safeguards (risk assessments, training, access management), physical safeguards (facility access, workstation security), and technical safeguards (encryption, audit controls, access controls).
The distinction matters because paper PHI is governed only by HIPAA's Privacy Rule, while ePHI is governed by both the Privacy Rule and the Security Rule — a stricter set of requirements.
How to Redact PHI and PII
Whether you're handling PHI, PII, or both, the redaction process is the same: identify the sensitive data, review it, and permanently remove it from the document.
The critical requirement is permanence. Drawing a black box over a patient's name in a PDF is not redaction — the text data remains in the file and can be extracted. True redaction destroys the underlying data so it cannot be recovered by any method.
SafeRedact handles both PHI and PII redaction. The AI automatically detects names, SSNs, addresses, medical record numbers, dates, account numbers, and other identifiers across your documents. Detection uses Anthropic's Claude API via bank-grade TLS 1.3 encryption with zero data retention. You review the detections, and permanent pixel-burn redaction destroys the data locally in your browser.
Bank-grade encryption for healthcare data: SafeRedact keeps documents in your browser and sends only the data needed for AI detection to Anthropic's API via TLS 1.3 encryption — the same standard used by major banks. Anthropic does not store or train on your data. Redaction is applied locally on your device. For healthcare organizations, this minimizes third-party data exposure and avoids the compliance complexity of full cloud document uploads. Try SafeRedact free →
Frequently Asked Questions
Is a patient's name PHI?
A patient's name alone is PII. When that name appears in a healthcare context — on a medical record, insurance claim, or prescription — it becomes PHI because it connects an identifiable individual to health information held by a covered entity.
Is a Social Security number PHI?
An SSN is always PII. It becomes PHI when it appears in a healthcare context — for example, on a patient registration form at a hospital. The SSN on your tax return is PII but not PHI.
Does HIPAA apply to employers?
Generally, no. HIPAA applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates. An employer's general personnel records are not subject to HIPAA, even if they contain health information. However, if the employer also operates a self-insured health plan, that plan is a covered entity and the health data within it is PHI.
What happens if PHI is accidentally disclosed?
Under HIPAA's Breach Notification Rule, covered entities must notify affected individuals within 60 days of discovering a breach of unsecured PHI. If the breach affects 500 or more individuals, the entity must also notify the Department of Health and Human Services and prominent media outlets. Breaches affecting fewer than 500 individuals are reported to HHS annually. Penalties range from $100 to $50,000 per violation, up to $1.5 million per category per year.
Can de-identified data become PHI again?
Technically, if de-identified data is re-identified (linked back to an individual in a healthcare context), it becomes PHI again and HIPAA protections apply. This is why proper de-identification — removing all 18 identifiers under the Safe Harbor method — is important. The more identifiers removed, the lower the re-identification risk.