Awareness article
PII Meaning and Examples
A plain-language definition of PII, how it differs from PHI, and why the distinction matters for healthcare teams.
Short answer
PII stands for Personally Identifiable Information — any data that can identify a specific individual. In healthcare, PII and PHI overlap significantly, but PHI is the stricter category governed by HIPAA. Understanding both terms helps clinic staff correctly classify data and apply the right protections.
PII stands for Personally Identifiable Information. It refers to any data point or combination of data points that can be used to identify a specific individual. The term is used across government, privacy law, and technology — most prominently in the NIST Special Publication 800-122 framework and in state privacy regulations.
What counts as PII
Common PII examples include:
- Full name
- Date of birth
- Home or email address
- Phone number
- Social Security number
- Passport or driver’s license number
- IP address
- Biometric data (fingerprints, facial images)
- Device identifiers
Any one of these, or a combination of less-obvious fields that together identify a person, qualifies as PII. Context matters: a first name alone is usually not PII, but a first name plus a birthdate plus an employer can be.
How PII and PHI relate
In healthcare, PII and PHI overlap substantially. The table below shows the relationship:
| Category | Identifies a person | Involves health/payment | Governed by |
|---|---|---|---|
| PII (general) | Yes | Not required | State law, FTC, sector rules |
| PHI | Yes | Yes | HIPAA Privacy + Security Rules |
| ePHI | Yes | Yes (electronic) | HIPAA Security Rule |
PHI is the stricter, narrower category. When patient PII appears alongside a diagnosis, appointment, or billing record, the entire record becomes PHI and HIPAA applies.
PII that is not PHI in a clinic setting
Not everything in a clinic’s systems is PHI. Examples of PII that may fall outside HIPAA:
- Staff names, addresses, and Social Security numbers in HR records (covered by employment law, not HIPAA)
- Vendor contact information
- A patient’s name in a generic marketing list not tied to care or payment
Even when data does not meet the PHI definition, it may still require protection under state breach notification laws. Clinics in California, for example, face obligations under the California Consumer Privacy Act for certain PII.
Why the distinction matters for healthcare teams
Healthcare staff often encounter the term PII in security training, vendor documentation, and state regulations. The safest operating rule: if the PII relates to a patient’s health or billing, treat it as PHI and apply HIPAA controls.
For the full breakdown of what makes information identifiable, see 18 HIPAA Identifiers. For a direct comparison of PHI and PII in workflow terms, see PHI vs PII.
PHIGuard applies PHI-level controls to all patient-linked data in the platform. A BAA is included at every pricing tier, regardless of whether the data would be technically classified as PII or PHI.
HIPAA Basics
Core definitions, rules, and operating concepts small clinics need before they can evaluate vendors or workflows.
What Is a Business Associate Agreement Under HIPAA?
Business associate agreement (BAA) explained: what it is, when HIPAA requires it, required contract elements under 45 CFR §164.504(e), and OCR penalty risk.
HIPAA Authorization vs Consent: What's the Difference?
HIPAA authorization vs consent explained: when each is required, the required elements of a valid authorization under 45 CFR §164.508, and how the TPO...
Sources