App installation banner

Making Sense of IIHI, PHI, and PII in Healthcare

Written and medically reviewed by Dorcas Morak, Pharm.D

Updated on July 21st, 2023

Save up to 88% on your medications

When it comes to the Health Insurance Portability and Accountability Act (HIPAA), a crucial requirement is keeping Protected Health Information (PHI) safe and secure. However, it's key to understand what exactly PHI is to ensure that this sensitive data remains private. Interestingly, not all health information is considered PHI; some is Individually Identifiable Health Information (IIHI). Additionally, not all personal data is PHI - some is classified as personally identifiable information (PII).

It can be easy to get confused about what constitutes PHI. Some people might think all health information falls under PHI, while others might consider only diagnostic information. But one thing is clear: it’s important to know the difference.

So, What is Individually Identifiable Health Information (IIHI)?

IIHI is more than just medical details about an individual - it also includes demographic information. For information to qualify as IIHI, it needs to:

  1. Be created or received by healthcare providers, health plans, employers, or healthcare clearinghouses.

  2. Relate to a person's past, present, or future physical or mental health or condition, healthcare services they've received, or payment for healthcare services provided to them.

  3. Either directly identify an individual or be able to lead to their identification.

What is HIPAA's Definition of Protected Health Information?

HIPAA regulations specify that Protected Health Information is IIHI that:

  1. Is transferred using electronic media (like being sent via email).

  2. Is stored in electronic media (for example, saved on a server).

  3. Is transferred or stored in any other form or medium (this includes physical places where paper documents are stored).

In short, all PHI is IIHI, but not all IIHI is PHI. So, not all individually identifiable health information is protected under HIPAA.

The Differences Between IIHI, PHI, and PII

Understanding the distinctions between PII (personally identifiable information), PHI (protected health information), and IIHI (individually identifiable health information) is crucial to data privacy. PII encompasses non-sensitive and sensitive data that can identify individuals and goes beyond health information, including things like tax details, credit card numbers, and social security numbers. PHI is used specifically in healthcare and always must comply with HIPAA rules. Meanwhile, PII is only protected under certain circumstances. IIHI is health data that can be linked to an individual. Remember, while all PHI is IIHI, not all IIHI is PHI.

What Makes Health Information Identifiable?

There are eighteen specific identifiers that can make health information identifiable, such as:

  1. Names (full or last name and initial)
  2. Small geographic areas, like street addresses, cities, counties, precincts, and zip codes
  3. All parts of dates linked to an individual, such as birth dates, admission dates, discharge dates, and dates of death
  4. Phone numbers
  5. Fax numbers
  6. Email addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers
  13. Device identifiers and serial numbers
  14. Web URLs
  15. IP addresses
  16. Biometric identifiers, like fingerprints, retinal scans, and voice prints
  17. Full-face photographs and similar images
  18. Any other unique identifying number, characteristic, or code

If these identifiers are attached to other health information and can identify an individual, the information is considered Protected Health Information (PHI). Once all identifiers are removed, the information is considered de-identified, which means it's no longer classified as PHI.

As we wrap up our journey into the realm of healthcare data, we hope this deep dive into IIHI, PHI, and PII has left you feeling more confident and informed. The distinctions between these three types of data are critical to understanding how healthcare professionals maintain privacy and adhere to HIPAA regulations.

In essence, all health data is significant, but not all health data is created equal. Remember, while all PHI is IIHI, not all IIHI is PHI. Likewise, PII encompasses a broader spectrum of data beyond healthcare. Whether you're a healthcare provider, patient, or simply an interested party, the importance of understanding these differences cannot be overstated. After all, knowledge is power, especially when it comes to the protection of personal information.

So next time you come across these terms, you'll know exactly what they mean, how they're used, and the regulations that guide them. And remember, in a world where data is increasingly digitized, knowing how to differentiate between IIHI, PHI, and PII is more than just smart - it's a must!

Was this article helpful?

Related Articles