Graham Thompson
· 9 min read
PII vs PHI vs PCI: What's the Difference?
A business might be using PII, PHI, or PCI and might not acknowledge its importance. Learn the differences between them and the compliance to protect this private data.
Data has become a valuable commodity for enterprises in a digital-first world and for the economy at large.
Countless organizations now collect, store, share, and analyze vast repositories of data. These digital treasure troves hold valuable insights for enhancing business practices, operations, and customer relationships—but at a time when cybercrime is on the rise, organizations have more responsibility than ever to secure the data they collect.
Hardly a day goes by that we don’t hear of a major data breach, records exposed and posted online, or threats made by ransomware groups to publish sensitive data unless a blackmail payment is made.
The global average cost of a data breach in 2023 was $4.45 million, a 15% increase over the past three years. According to IBM, customer and employee personally identifiable information (PII) is the most expensive to have compromised, with each customer PII record costing organizations $183 per record, on average. (The least expensive record type was anonymized consumer data.)
Lawmakers have taken note. Federal and statewide laws now enforce a minimal standard of security and data protection for companies handling specific types of consumer data and PII. The consequences of ignoring these regulations can be severe, especially when sensitive PII datasets, such as medical records, are involved.
To adequately protect data, organizations must first understand whether or not their records are personal or non-personal PII, and if records are the former, what category of PII is applicable.
The classifications organizations must become familiar with are known as personally identifiable information (PII), payment card industry (PCI) data, and protected health information (PHI).
Each category of data is subject to different security and privacy standards.
It is imperative that businesses understand the difference.
Below, we explain the key differences between PII, PHI, and PCI, provide examples of each dataset, and describe how each category relates to protection and compliance standards.
Personally identifiable information (PII)
Personally identifiable information (PII) refers to any dataset that may identify an individual. PII is an overarching term that could include any form of data that, separately or when combined with other data sources, could potentially reveal the identity of the individual it pertains to.
PII may include names, physical home addresses, ZIP codes, Social Security numbers, phone numbers, genders, ages, religious preferences, medical conditions, payment card details, biometric markers, photographs, educational status, job titles, and more.
PII is a protected form of information defined by the National Institute of Standards and Technology (NIST) as:
“Any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
Sample PII Record
Name: Jane Doe
Address: 1 Leaf Lane, New York, 100002
Telephone number: +1 777 666
Email address: jane.doe@privacydynamics.com
Age: 56
Social Security number: 111-22-3333
Payment Card Industry (PCI) data
Payment card industry (PCI) data refers to account numbers, expiration dates, and security codes (CVVs) – all of the key data points that, if compromised, could lead to fraudulent transactions and identity theft. Furthermore, other PII identifiers, such as physical addresses and cardholder names, will be considered PCI if they are connected to financial datasets.
PCI is also used in reference to the PCI Security Standards Council (PCI SSC), a consortium of financial giants and agreed standards developed to protect consumer financial information. The PCI SSC manages and updates these data protection standards and ensures organizations managing, storing, or processing PCI are compliant.
Members include American Express, MasterCard, Discover Financial Services, JCB International, UnionPay, and Visa.
“PCI Security Standards are [the] technical and operational requirements set by the PCI SSC to protect cardholder data,” the council says. “The standards apply to all entities that store, process or transmit cardholder data – with requirements for software developers and manufacturers of applications and devices used in those transactions.”
Sample PCI record
Name: Jane Doe
Billing address: 1 Leaf Lane, New York, 100002
Payment card number: 1234 5678 9101
Security code/CVV: 946
Expiry date: 1/25
Protected Health Information (PHI)
Protected health information (PHI) is a subset of PII that specifically relates to healthcare. The US Department of Health and Human Services (HHS) defines PHI as:
“Individually identifiable health information, held or maintained by a covered entity or its business associates acting for the covered entity, that is transmitted or maintained in any form or medium (including the individually identifiable health information of non-US citizens).
This includes identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse.”
Organizations managing PHI are expected to reach stringent data protection and security standards, as outlined in the Health Insurance Portability and Accountability Act 1996 (HIPAA) in the United States. A comparable regulation is the EU’s General Data Protection Regulation (GDPR).
In total, there are 18 identifiers under HIPAA’s Privacy Rule that organizations can explore to ascertain if their datasets come under HIPAA compliance standards. These include names, geographic locations, Social Security numbers, health plan beneficiary records, medical record numbers, and “other unique identifying numbers, characteristics, or codes.”
Sample PHI record:
Name: Jane Doe Address: 1 Leaf Lane, New York, 100002 Email address: jane.doe@privacydynamics.com Age: 56 Medical record number: 123456 Conditions: Diabetes, asthma Treatment plan: Insulin Healthcare insurance plan number: 1234567
Compliance Considerations for PII
In the United States, maintaining compliance when handling, processing, or storing PII depends on the context.
For example, if an individual’s name is linked to their medical records, this would be considered PHI and would come under HIPAA. If payment card details are linked to the same name, this would come under PCI DSS, of which both standards are explained in further detail below.
PII is a broader term relating to how identifiable a subject is, and with wider parameters, it can be more difficult to know how to protect this information properly.
There is no overarching federal law that applies to PII that is comparable to laws in other countries and regions, such as the EU’s GDPR. However, this does not mean that states are not taking matters into their own hands, an example being California’s 2018 Consumer Privacy Act (CCPA).
Depending on the state, organizations may be required to give consumers the right to view, delete, or amend PII held on them. Furthermore, businesses may be restricted in how they use, process, or share PII, with or without a subject’s consent.
It’s true that state-based patchwork protection does not protect consumer PII to an adequate level, but organizations should still maintain strong security standards, carefully consider how to protect PII datasets, and ascertain whether or not subjects are identifiable if information is shared with third parties.
Data controllers should also keep in mind that regardless of whether or not federal-level protections exist, data breaches involving PII can lead to serious reputational harm and class-action lawsuits unless organizations can prove they took reasonable steps to protect the sensitive information they have been entrusted with.
NIST provides an excellent framework and advice for organizations handling PII.
Compliance Considerations for PCI
Organizations holding PCI records must become compliant with the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS standards are set by the members of the PCI SSC. First launched in 2004, the PCI DSS regulations are focused on protecting sensitive financial consumer data, whether stored or in transit. If an organization accepts or processes payment cards, PCI DSS applies.
Obtaining a PCI DSS certificate, or partnering with a vendor able to handle the challenge on your behalf, is necessary to reduce the risk of security breaches that could lead to the theft and compromise of consumer financial data.
Merchants and payment processors must comply with PCI DSS, but the rules change depending on the organization’s annual transaction volume. Levels one to four cover companies that make fewer than 20,000 transactions per year to corporations handling over six million transactions on an annual basis.
According to PCI SCC, the overall aim of PCI DSS is to lay the framework for organizations to build and manage a secure network capable of protecting payment card data.
PCI DSS measures include maintaining technological controls such as firewalls and encrypted transmission channels, changing default credentials, maintaining a vulnerability management program, restricting access to data on a ‘need to know’ basis, regularly tracking network activity, and maintaining a robust security policy.
The council has provided a guide to assessing whether PCI DSS compliance is required, of which merchants and vendors are expected to follow the steps below:
- Scope: Organizations must determine which system components and networks are in scope for PCI DSS.
- Assess: Testing procedures must be undertaken to assess current standards and compliance.
- Report: Documentation will need to be submitted, including self-assessments and compliance reports.
- Attest: Organizations must then complete an Attestation of Compliance (AOC).
- Submit: All necessary documents must then be submitted.
- Remediate: If necessary, organizations must then remediate any areas of their network or operations that are not compliant, and update reports accordingly.
Failures to comply can result in severe financial penalties and legal repercussions.
Compliance Considerations for PHI: Let’s Talk HIPAA
Organizations that act as custodians for medical data must refer to the Health Insurance Portability and Accountability Act, also known as HIPAA. The federal law, introduced in 1996, was created to “protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.”
Considering the sensitive nature and potentially extremely distressing consequences of PHI being stolen or released online, it is imperative that organizations protect medical information to the best of their abilities – and in a HIPAA-compliant manner.
There are financial consequences to consider, too: healthcare-related data breach costs have increased by over 53% since 2020, at an average cost of $10.93 million, according to IBM.
HIPAA’s Privacy Rule also outlines the rights of individuals to access their healthcare-related information. HIPAA-compliant organizations must provide channels for individuals “to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans.”
When businesses are investigating HIPAA compliance standards, a key element is the “minimum necessary requirement.” Organizations – including healthcare providers and business associates – must adhere to the minimum necessary standard, which demonstrates that the “minimum necessary” is used in data use, processing, and sharing.
If an organization wishes to share PHI, they should consider employing anonymization methods to reduce the likelihood of personal identifiers remaining in PHI datasets.
Why Does HIPAA Compliance Matter?
HIPAA plays a crucial role in protecting the privacy of individuals by safeguarding healthcare-related information and enforcing security standards that data controllers handling such sensitive information must adhere to.
The federal regulation has established a secure framework and guidance for healthcare organizations and their associates in the United States if they wish to collect, store, analyze, or share personal health information. HIPAA aims to reduce the risk of data breaches and security incidents, as well as build trust in the healthcare system and its handling of sensitive patient data overall.
The majority of healthcare-related companies will need to ensure they reach HIPAA standards, or they risk fines, penalties, and investigations for non-compliance.
How Privacy Dynamics Can Assist You
Achieve HIPAA PHI compliance without impacting existing workflows
As a HIPAA-compliant Business Associate, Privacy Dynamics can provide your organization with the right tools and technologies suitable for processing data in a way that helps you satisfy HIPAA requirements without negatively impacting your engineering teams.
An effective way to reach HIPAA compliance, quickly and effectively, is to de-identify PHI datasets by removing personal markers and identifiers that could unmask individuals.
Privacy Dynamics has developed innovative software solutions that harness automation to securely de-identify PII. We satisfy HIPAA 45 CFR §164.502 and 45 CFR §164.514 by minimizing data while preserving the most important data points in PHI – and at the same time, we pride ourselves on maintaining individual privacy.
With the assistance of our algorithms, we guarantee your organization will achieve compliance with HIPAA’s Expert Determination standard.
Privacy Dynamics experts would be pleased to assist you on this journey. Contact us today.