Introduction to Personally Identifiable Information


Author, D.K. Carr & Associates

Introducing Personally Identifiable Information, or PII, for short. Forty-eight states now have privacy laws that require business to protect a consumers Personally Identifiable Information or PII. This is already established in healthcare, as we are required to safeguard patients “Protected Health Information”, or “PHI”. Any information, or combination of information that could possibly be used to identify individuals should be protected.

Healthcare entities have been required to secure patients Protected Health Information or PHI since 1996 under the Health Insurance Portability and Accountability Act. However, considering recent data breaches like we’ve seen with Equifax and Uber, forty-eight states and three territories have enacted privacy laws meant to protect general consumers. In fact, as of March 2018, a bill was introduced to make Alabama the forty-ninth state to enact privacy laws requiring business entities to protect consumers PII. Senator Bill Nelson (D) of Florida upheld the current trend in privacy protection by introducing a bill in November of 2017 that would federally require businesses to report any sort of data breach that compromises PII not only to their customers, but the government as well.

So, what is considered Personally Identifiable Information?

Simply, any information that could identify or locate an individual. In most states, this is considered the First Name or Initial in combination with any of the following:

  • Address
  • Phone Number
  • SSN
  • Account Numbers
  • Email Address
  • DOB
  • Vehicle Information
  • Digital Signature
  • Any Medical Records
  • Finger Prints
  • a physical image
  • Retina scans
  • Iris scans, etc.

This trend in data privacy protection brings a new level of vulnerability to medical practices. Protocol states that in the event of a theft or data breach that compromises PHI, the practice must report to the Office of Civil Rights. The fines for failing to safeguard this sensitive information can be up to $50,000 per record. Now, because most medical practices are also considered by states to be businesses, that sensitive information is also treated as PII. This means that the state government can fine, and in some cases, impose jail time when an executive (Doctor) fails to safeguard and report a data breach in a timely manner. To complicate the issue further, several states strive to protect their citizens beyond state lines. For example, if you are a New York resident, but you visit a business or medical practice in Florida that experiences a data breach, said practice is required to notify you in accordance with both Florida laws, and New York laws. Practices that have patients that primarily reside within the European Union may be subject to the newly enacted General Data Protection Requirements or GDPR. This requires that any business providing services to EU residents, including healthcare providers, will insure that adequate security controls are in place. This includes data encryption at rest and in transit, backups, redundancy, and intrusion detection mechanisms to ensure that data is not compromised in any way.

Cyber attacks are quickly becoming the new battle ground, and the risks will only increase as new technology is introduced. As a result, businesses, including healthcare entities must implement a comprehensive security plan. This requires a well educated team, recognized security controls, and continuous system monitoring and training. The consequences of failing to protect PHI and PII could be too great to recover from.


Debi Carr is the CEO of D. K. Carr and Associates, LLC a Security and HIPAA Consulting Firm. She has over 23 plus years of dental practice management experience and over 30 years of experience in technology and security. She assists dentist in obtaining and maintaining HIPAA Compliance including performing annual risk analysis and team security awareness training. She also leads a team of security professionals that respond to cyber-attacks. Debi holds several certifications including HealthCare Information Security and Privacy Practitioner, Certified Associate Healthcare Information and Management Systems provider, HIPAA Certified Professional, Certified Ethical Associate-IT. She is a member of AADOM, ADMC, HIMSS, and ISC2.

DISCLAIMER: This article is provided for informational purposes only. It is not intended as legal advice nor does it create any relationship between NEA and any readers or recipients. This article does not represent the opinions of NEA regarding individual readers or recipients’ compliance with the subject matter contained therein.  Readers should consult legal and/or technical counsel of their own choosing to discuss how these matters relate to their individual circumstances.