Direct comparison
PII vs PHI
PII and PHI are related US privacy terms: PII is the broad category of identifying data, while PHI is the narrower, health-specific subset governed by HIPAA.
The step most authors miss
Doing CRediT right? Don’t stop at the statement.
A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.
Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.
Side-by-side comparison
| Dimension | PII | PHI |
|---|---|---|
| What it is | Personally identifiable information — any data that can identify a specific individual. | Protected health information — individually identifiable health information held by a HIPAA covered entity. |
| Scope | Broad: spans any context where identifying data appears. | Narrow: a health-context subset of PII. |
| Governing framework | No single US law; guided by NIST SP 800-122 and various sector rules. | Governed specifically by US HIPAA. |
| Context required | Context-independent — identifying data is PII wherever it sits. | Context-bound — must be held or transmitted by a covered entity or business associate. |
| Type of data | Any identifier: name, national insurance number, email, quasi-identifiers. | Health, care or payment-for-care data linked to a person. |
| Identifier list | No fixed universal list; depends on guidance and context. | 18 HIPAA identifier categories. |
| Relationship | The broader umbrella category. | A subset: all PHI is PII, not all PII is PHI. |
| De-identification | Reduced via removing or obscuring identifiers generally. | HIPAA Safe Harbor (remove 18 identifiers) or Expert Determination. |
| EU equivalent | Roughly corresponds to GDPR personal data (which is broader). | Health data as special category data under GDPR Article 9. |
Common questions
FAQ
Is all PHI also PII?+
Yes. PHI is a subset of PII: it is identifiable information that happens to be health-related and held by a HIPAA covered entity. So all PHI qualifies as PII, but most PII — such as financial or contact data outside healthcare — is not PHI.
What makes health data become PHI rather than just PII?+
Health information becomes PHI when it is individually identifiable and is created, held or transmitted by a HIPAA covered entity or its business associate. The same health fact held outside that covered context is identifying data, and may be PII, but is not PHI in the HIPAA sense.
How do PII and PHI map to GDPR terms?+
PII roughly corresponds to GDPR’s broader concept of personal data, though personal data is generally wider. PHI maps to health information, which GDPR treats as special category data under Article 9, attracting extra protection.
Going deeper
