Differences Between PHI and PII and How they Impact HIPAA Compliance
HIPAA (Health Insurance Accountability and Affordability Act) compliance is required by pharmacies, like CVS, Walgreens, and Rite Aid, medical facilities, and any other organization that gathers, stores, or transmits personal medical information. To remain HIPAA compliant, these establishments must keep their customers' health information, including what prescriptions or other medications they are taking, private.
To keep the personal data of their customers safe, pharmacists must understand the differences between personal health information (PHI) and personal identification information (PII) and how both of them are involved with HIPAA compliance.
What is PHI?
PHI is any medical information that contains past, current, or future, health-related data that also contains information that can link those medical records back to the individual it refers to. In other words, lab test results that are part of a blind study are not PHI because they do not contain any information that identifies the individual to whom those test results belong, but your personal medical history is PHI and must be protected in accordance to HIPAA regulations.
Medical records that contain one or more of the following identifiers are considered PHI and must be kept private.
- Social Security numbers
- Telephone or FAX numbers
- Dates, except those that only list the year
- Geographic data, including, but not limited to, home addresses
- Email addresses
- Account numbers
- Medical record numbers
- Health plan ID numbers
- Numbers listed on any certificates or licenses, including driver's licenses, passports, and visas
- Vehicle VINs or license plate numbers
- Web URLs or IP addresses
- Serial numbers from medical devices, those used to treat an individual or those implanted into an individual
- Facial photographs or any photographs of uniquely identifiable features like tattoos, scars, or birthmarks
- Biometric identifiers including fingerprints and retinal scans
- Any code or number that is unique to the individual
What Is PII
PII is defined by the Department of Homeland Security as, "any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual." In other words, all of the above-listed information is considered PII.
PII as a whole is not protected from release by government regulations. It is the responsibility of the individual and the organizations they interact with to keep this information confidential unless that information is linked in any way to the person's medical records.
PHI, PII, and HIPAA
As far as HIPAA regulations are concerned, PHI and PII are inseparable. PHI is any medical information that contains even one of the listed PII identifiers.Since any records that are gathered, stored or transmitted by medical facilities and pharmacies must contain some way to identify the customer it refers to, all medical data should be considered PHI except in very specific cases such as blind research studies.
In order to remain HIPAA compliant, any organizations that handle PHI, including medical facilities, pharmacies, and the companies that provide data storage and transmission for them, must not release this information to anyone except the individual it pertains to.
At rxless, we prioritize your PII and PHI privacy. The rxless platform allows you to search millions of prescription medication prices online and offline without giving up your personal information. We guarantee never to share, sell, or otherwise disclose your private data to any third parties.