What is PII in Healthcare?

What is PII in Healthcare - hipaaguide.net

PII in healthcare stands for Personally Identifiable Information – the type of information not covered by the HIPAA Privacy Rule unless it is maintained in the same designated record set as Protected Health Information (PHI). The difference between what is PII in healthcare and what is PHI in healthcare can be a source of confusion for both providers and patients.

To help explain what is PII in healthcare, it is best to start with an explanation of what a designated record set is. According to the definition provided by HIPAA (45 CFR §164.501), a designated record set is a group of medical and/or billing records maintained by or on behalf of a covered entity that is used to make decisions about individuals.

In plain terms, this means that a designated record set includes information about an individual’s health, the diagnoses of health conditions, treatments for the health conditions, and/or payment for the treatments – effectively the definition of individually identifiable health information provided by HIPAA (45 CFR §160.103).

The HIPAA definition of a designated record set concludes by stating the term means “any item, collection, or grouping of information that includes Protected Health Information and is maintained, collected, used, or disseminated by a covered entity” – implying that a designated record set can consist of hundreds of records or just one record.

For example, when a physician reviews a patient’s medical history, the history could include decades of examinations, tests, diagnoses, treatments, and outcomes. Conversely, a photo of a newborn child on a physician’s baby wall is a designated record set in its own right because the photo includes individually identifiable health information about a past medical event.

Designated Record Sets, PHI, and PII

From the above explanation, any individually identifiable health information maintained in a designated record set qualifies as PHI when it is created or received by a covered entity or business associate and when it does not meet the criteria for exemption (i.e., records covered by FERPA, records maintained by an employer in their role as an employer, etc.).

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

As individually identifiable health information is defined as information about an individual’s health, treatment, or payment (“and”) that identifies the individual, this means that any individually identifiable non-health information maintained in the same designated record set (i.e., name, contact details, etc.) assumes the same protections as PHI.

However, when individually identifiable non-health information is maintained in a separate database that does not include health information, it does not assume the same protections as PHI. In these cases, the information is referred to as PII in healthcare. PII is still protected (usually by state laws), but it does not have the same limitations on uses and disclosures as PHI.

Examples of PII in Healthcare

There are many examples of when individually identifiable non-health information qualifies as PII in healthcare. These start when a new patient contacts a healthcare facility for the first time. Usually the patient’s name and contact details are recorded by an online form or during a voice conversation without any health or payment information being disclosed by the patient.

Non-health information may then be maintained in a separate database so it can be accessed to schedule appointments, arrange home visits, conduct marketing activities, etc. This enables these activities to take place without giving non-medical members of the workforce access to an EHR or other designated record set that contains the patient’s health history.

In personal circumstances, physicians may maintain a separate database of patients they play golf with, or midwives maintain a list of dates of birth for the children they have delivered to send birthday cards. In addition, parking systems that record vehicle license plates as patients enter and leave the hospital also create databases of non-health information.

Why You Should Understand What is PII in Healthcare

Because the difference between what is PII in healthcare and what is PHI in healthcare can be a source of confusion for patients, it helps if healthcare providers can explain the difference to patients in order to avoid unjustified complaints about unauthorized disclosures. Unjustified complaints not only waste the time of organizations’  Privacy Officers, but can also prompt a HIPAA compliance investigation by HHS’ Office for Civil Rights.

In order that healthcare providers can explain the difference to patients, it is important for healthcare providers to know what is PII in healthcare. Consequently, HIPAA covered entities and business associates should make sure a full explanation of what is considered PHI under HIPAA is included in HIPAA training to ensure that healthcare providers do not also get confused between what is PII in healthcare and what is PHI in healthcare.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/