In this month's Compliance Corner, Practice Mechanic Rick Garofolo explains the difference between PII and PHI, and shows why we need to recognize the difference.
At least once a day someone asks me the difference between Protected Health Information (PHI) and Personally Identifiable Information (PII). In a dental office, we have both and have to protect both with the same level of care. Other businesses, like banks and financial institutions, have similar rules regarding PII, but we in the dental and medical fields are lucky enough to have HIPAA. That means we get to protect not only PII but also PHI.
So, what is the difference?
Personally Identifiable Information, or PII, is any data that can be used to contact, locate, or identify a specific individual. This data can be used by itself or combined with other easily accessible sources, like the internet.
Here's a look at data elements that might be used to identity an individual include:
These are all considered PII. We have relied on PII for a long time, but protecting it has become a bigger concern lately due to increased hacking incidents. Advances in technology and widespread use of computers require that we take even more safeguards to protect our patients' PII. Trojan horse viruses, ransomware, spyware, and malware create opportunities for people to steal PII, and PHI.
HIPAA guidelines require that we take all possible reasonable and appropriate safeguards to protect this information. Things like anti-virus software, not allowing your team to check personal email on a work computer, and not allowing anyone other than a network administrator to install any program on a work station in your office.
Personal Health information, PHI, is something we are likely more familiar with. PHI is information that is created, transmitted, received, or maintained by a covered entity — your dental office — that is related to any of the following:
These things must be accompanied by an identifier, or PII, like name, address, social security number, email address, or geographic subdivision smaller than a state — like county, parish, or town — as well as many others.
So, if your patient's name is on their chart, it is PHI. Email address connected to their account? PHI. Phone number? Yep! Full-face photograph? You guessed it!
So, why has this recently become not only an important part of HIPAA compliance, but something that many governments are putting extreme concentration on? In short, collecting and selling PII on a legal basis is a very profitable business. I get emails all the time from people selling a list of 100,000 dentists email addresses for $1,000. Not a bad deal if I get some new business out of it, but also a huge violation of most email systems' Terms and Conditions. I can not use purchased email lists.
However, many marketing companies will use purchased email lists — that is where SPAM comes from. Lets forget about SPAM emails for a minute and go deeper. There are countries that do not have privacy laws where its perfectly legal to market to people with stolen information. Think about the ramifications of someone finding out that I have a prescription for a blood thinner. Suddenly I am getting tons of mailers and emails about other brands that I should ask my doctor about.
Have you ever gotten one of those and wondered how they knew? Somewhere, some office with your medical history had a breach — reported or not — and that is where they got the info. Selling other people's personal information is an incredibly lucrative profession, legal or not. In fact, the illegal ones are even more profitable than the legal ones.
Please take the safeguarding of this information seriously. Protect your patients’ data with the same care that you would want your doctor to protect yours with. Put policies in place, enforce them and make sure that you know what PII is, what PHI is, and equally as important, what is not!
Learn more about how RevenueWell improves case acceptance and creates more close-knit relationships between dentists and their patients.