“PII” stands for personally identifiable information. Hackers often target personally identifiable information for a variety of reasons: to steal a customer’s identity, take over an account, launch a phishing attack, or damage an organization. As a result, there is a multitude of regulations concerning PII protection.
Before your company approaches meeting these regulations, it’s important to have a firm understanding of the data you will be protecting. In this guide, we’ll go through what is, what is not, and the different definitions of personally identifiable information in the healthcare and security sectors.
What is considered PII?
There are many definitions of PII, depending on the industry in which you are working. Health and cybersecurity have their own variations of the definition of PII. The definition of PII in cybersecurity is provided by NIST as, “any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.”
This definition, clearly, is quite broad. And, it gets even more complicated when you consider that personally-identifiable information is typically classified as “non-sensitive” or “sensitive”. Non-sensitive PII is information that is accessible from public sources like phonebooks, the Internet, and corporate directories. Non-sensitive, also known as indirect PII, can include the following data:
- Race
- Gender
- Date of birth
- Place of birth
- Religion
Sensitive PII includes information such as:
- Full name
- Social Security Number (SSN)
- Passport numbers
- Credit card number
- Financial information like taxpayer ID numbers or routing numbers
The line between sensitive and non-sensitive PII within regulations isn’t always clear. Some sources list ZIP code under non-sensitive PII, but the California State Supreme Court ruled in 2011 that a person’s ZIP code is PII. The Massachusetts Supreme Court made a similar ruling in 2013.
Regardless of whether data is non-sensitive or sensitive, your company must keep personal, linkable information secure from bad actors.
PII in healthcare
PII in healthcare is referred to as Protected Health Information (PHI). Unlike PII, which is governed by a network of regulations all over the world, PHI was established under the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA.
Simply put, PII differs from PHI in that it is used outside a healthcare context.
It’s also worth recognizing that HIPAA also establishes a third acronym, individually identifiable health information (IIHI). IIHI includes not only a person’s medical information but also their demographics. IIHI is protected under privacy laws.
HIPAA also offers a clear definition of what is PHI using 18 identifiers:
- Names (of patients, relatives, or employers)
- Social security numbers
- Device identifiers and serial numbers
- All geographic subdivisions smaller than a State
- Medical record numbers
- Web Universal Resource Locators (URLs)
- All elements of dates (except year) including birth date, admission date, discharge date, date of death; and all ages over 89
- Health plan beneficiary numbers
- Internet Protocol (IP) address numbers
- Telephone numbers
- Account numbers
- Biometric identifiers, including finger and voiceprints
- Fax numbers
- Certificate/license numbers
- Full face photographic images and any comparable images
- Electronic mail addresses
- Vehicle identifiers and serial numbers, including license plate numbers
- Any other unique identifying number, characteristic, or code
Likewise, HIPAA requires organizations to safeguard the confidentiality, integrity, and availability of PHI.
What is not considered PII?
Non-PII is information that can’t be used to identify someone. Non-sensitive information used in isolation, for instance, is not considered PII.
“Info such as business phone numbers and race, religion, gender, workplace, and job titles are typically not considered PII,” wrote one expert. “But they should still be treated as sensitive, linkable info because they could identify an individual when combined with other data.”
Often, how you store and use a customer’s information determines whether it needs PII protections. If you store someone’s date of birth, full name, and address in the same customer record as their business phone number, that information would all be considered PII.
Protecting PII
There is a web of different standards and regulations mandating the protection of personally identifiable information. Some of these regulations include penalties if your business fails to adequately safeguard PII and PHI. Learn about PII compliance in our guide, “What Is PII Compliance? Requirements, Checklist & Best Practices.”
Plus, protecting PII is central to building trust with your clients and customers. Find out more about PII compliance in our 2021 security guide. And, to get started with Nightfall, schedule a demo at the link below.