What is PII and PHI? Why is it Important?
The Federal government requires organizations to identify PII (Personally identifiable information) and PHI (Protected Health information) and handle them securely. Any unauthorized release of these data could result in severe repercussions for the individual whose information has been compromised, as well as for the government entity responsible for safeguarding that information. Given the importance of PII and PHI, government wants to govern the usage more efficiently. The first step to keeping this information safe, is understanding as much as possible about what it is, and how important it can be.
Personally Identifiable Information
PII or personally identifiable information is any data that can be used to contact, locate or identify a specific individual, either by itself or combined with other sources that are easily accessed. It can include information that is linked to an individual through financial, medical, educational or employment records. Some of the data elements that might be used to identify a certain person could consist of fingerprints, biometric data, a name, telephone number, email address or social security number. Safeguarding PII and other sensitive information is the responsibility of federal agencies.
Though society has relied upon PII for some time, protecting it has become more important recently, mainly due to increased hacking scandals. Now that computer advances and technology improvements are taken place, the protection of PII is essential for all organizations. Some of the laws that are related to different forms of PII include: HIPAA, Privacy Act, GLBA, FERPA, COPPA, and FCRA.
These laws are utilized as an important way of attempting to ensure that corporations are restricted from sharing personal information with other parties. They also provide requirements for protecting that information in the most appropriate manner.
Examples of PII
Although collecting and selling PII on a legal basis has been identified as a profitable option, it can also be exploited by malicious individuals or criminals that want to commit crimes or steal a person’s identity. According to statistics given by the FBI, identity theft is still regarded as one of the fastest growing crimes in the nation, capable of causing significant emotional and financial damage to all of its victims. Due to the threat imposed, many governments have created legislation to limit how personal information is distributed. Some examples of what may be identified as PII include:
- A personal identification number, such as a driver’s license number, passport number, patient identification number, credit card number or social security number.
- A name, including the full name of the individual, their maiden name or mother’s maiden name, and any alias they may use.
- Asset information, such as MAC address or IP, as well as other static identifiers that could consistently link a particular person.
- Address information, like email addresses or street addresses, and telephone numbers for businesses or personal means.
- Biological or personal characteristics, such as an image of distinguishing features, fingerprints, x-rays, voice signature, retina scan, or geometry of the face.
- Information about an individual that is linked to their place of birth, date of birth, religion, activities, geographical indicators, educational, financial, or medical data.
Under certain circumstances, one or two pieces of data can be brought together with other easily-accessible information to create a vulnerability for someone’s identity. Even if the pieces of data seem to be harmless when by themselves.
Protected Health Information
HIPAA, or the Health insurance portability and accountability act, has required certain security regulations to be adopted for protected health information. Often, PHI is regarded to be any health information that is individually identifiable, and created or received by a provider of health care, a health plan operator, or health clearing house. The information might related to an individual’s present, past or future health, either in physical or mental terms, as well as the current condition of a person. Generally, PHI can be used to identify a specific individual, and it refers to data that is either maintained or transmitted in any given form, including speech, paper, or electronics.
PHI does not refer to the education records that are covered by the educational family rights and privacy act. Nor does it refer to any employment records that are maintained by a covered entity as that entity’s role as a person’s employer. The regulations typically refer to a number of different fields which might be utilized to identify a person, including:
- All dates directly linked to an individual, including date of birth, death, discharge, and administration.
- Telephone and fax numbers
- Email addresses and geographic subdivisions such as street addresses, zip codes and county.
- Medical record numbers, and health plan beneficiary numbers.
- Certificate numbers or account numbers
- Social security numbers, or vehicle identifiers
- Biometric identifiers, including voice or finger prints.
- Photographic images of the full face or recognizable features
- Any unique number-based code or characteristic