PII vs PHI: Key Differences Every Compliance Team Should Know

Sensitive data falls into distinct regulatory categories, and misclassifying even one record can trigger fines, lawsuits, or criminal penalties. PII, PHI, NPI, and PCI each carry different legal obligations, different breach notification timelines, and different technical safeguards. Yet many organizations treat them as interchangeable.

They aren't. A patient's medical record number is PHI. A customer's email address is PII. A cardholder's CVV is PCI. A bank client's account balance is NPI. Each belongs to a separate regulatory framework, and each demands a different protection strategy.

This guide breaks down what separates these four data categories, which regulations govern each, what penalties apply when protections fail, and how organizations can build a unified approach to protecting all of them. Whether you're a compliance officer, IT security lead, or privacy counsel, understanding these distinctions is the foundation of any data protection program.

Key Takeaways

• PII is the broadest category: any data that can identify a person, governed by a patchwork of state and federal laws including CCPA, GDPR, and NIST SP 800-122.
• PHI is a HIPAA-specific subset of pii that combines health information with one of 18 defined identifiers. Penalties reach up to $2.13 million per violation category per year.
• NPI covers non-public personal financial information under the Gramm-Leach-Bliley Act (GLBA), while PCI refers to payment card data governed by the PCI DSS standard.
• Visual data from surveillance cameras (faces, license plates, movement patterns) qualifies as PII under GDPR and several US state laws, creating compliance obligations for any organization operating video analytics.
• A single data record can fall into multiple categories simultaneously. A patient's credit card on file is both PHI and PCI data, requiring compliance with both HIPAA and PCI DSS.

What Is PII and Why Does It Cover More Than You Think?

Personally Identifiable Information (PII) is any data that can identify a specific individual, either on its own or when combined with other information. The National Institute of Standards and Technology (NIST) SP 800-122 defines PII as "any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual's identity."

PII splits into two tiers. Direct identifiers (sometimes called "linked" PII) can pinpoint someone on their own: Social Security numbers, passport numbers, biometric data, driver's license numbers, and full names paired with addresses. Indirect identifiers (or "linkable" PII) can identify someone when combined with other data: dates of birth, ZIP codes, job titles, or IP addresses.

The scope keeps expanding. Facial geometry captured by surveillance cameras is PII under Illinois' Biometric Information Privacy Act (BIPA). GPS location data from fleet vehicles is PII under CCPA. Even a persistent device identifier or browser fingerprint qualifies under GDPR's broader "personal data" definition. Organizations running any form of video analytics or camera monitoring should recognize that the footage itself can constitute PII when faces or identifying features are visible.

Common PII Examples by Category

• Government-issued identifiers: Social Security numbers, passport numbers, driver's license numbers, national ID numbers
• Contact information: Full name, home address, email address, phone number
• Financial identifiers: Bank account numbers, tax identification numbers
• Digital identifiers: IP addresses, MAC addresses, login credentials, device IDs
• Biometric data: Fingerprints, facial geometry, voiceprints, retina scans
• Visual identifiers: Photographs, video footage showing identifiable individuals, license plate numbers

No single US federal law governs all PII. Instead, organizations must comply with sector-specific federal laws (HIPAA, GLBA, FERPA) and a growing patchwork of state privacy laws. The California Consumer Privacy Act (CCPA/CPRA) and similar laws in Virginia, Colorado, Connecticut, and Utah each define PII slightly differently, adding compliance complexity.

What Is PHI and How Does It Differ from PII?

Protected Health Information (PHI) is health-related data tied to a specific individual and governed exclusively by the Health Insurance Portability and Accountability Act (HIPAA). PHI isn't just medical records. It's any information about health status, healthcare provision, or healthcare payment that includes one of HIPAA's 18 specified identifiers.

The critical distinction: all PHI contains pii, but not all PII is PHI. Your name is PII. Your name on a hospital intake form is PHI. Context makes the difference. When PII appears in a healthcare setting and is linked to health information, it becomes PHI and falls under HIPAA's stricter protections.

HIPAA's 18 PHI Identifiers

1. Names
2. Geographic data smaller than a state
3. Dates (except year) related to an individual
4. Phone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers
13. Device identifiers and serial numbers
14. Web URLs
15. IP addresses
16. Biometric identifiers
17. Full-face photographs and comparable images
18. Any other unique identifying number, characteristic, or code

Item 17 deserves special attention for organizations using video surveillance in healthcare facilities. Full-face photographs captured by security cameras in a hospital constitute PHI when associated with a patient's visit. The same camera footage in a retail store would be PII but not PHI.

Who Must Comply with HIPAA PHI Rules?

HIPAA applies to covered entities (health plans, healthcare clearinghouses, healthcare providers) and their business associates. If your organization processes, stores, or transmits PHI on behalf of a covered entity, you're a business associate and must sign a Business Associate Agreement (BAA). This applies even if healthcare isn't your primary business. A cloud hosting provider storing patient records, a video platform managing telehealth recordings, or an analytics firm processing health data all qualify as business associates.

How Do PII and PHI Penalties Compare?

Breach consequences vary dramatically between PII and PHI. Understanding the gap helps organizations prioritize protections appropriately.

The HHS enforcement data shows that OCR resolved over 300 compliance reviews and investigations in 2024. The largest HIPAA settlements have exceeded $10 million. For PII breaches, the FTC has levied penalties exceeding $500 million in high-profile cases, but enforcement is less systematic than HIPAA's structured penalty tiers.

What Is NPI and Which Regulation Governs It?

Non-Public Information (NPI) is personally identifiable financial information collected by financial institutions, governed by the Gramm-Leach-Bliley Act (GLBA). NPI includes any financial data that isn't publicly available: information provided by a consumer to a financial institution, generated from a transaction, or obtained by the institution while delivering a financial product or service.

NPI examples include bank account numbers, income and credit history, tax return information, account balances, loan amounts, insurance claim records, and investment portfolio details. Social Security numbers are NPI when collected by a financial institution, making them simultaneously PII and NPI.

NPI vs PII: The Key Distinction

PII identifies a person. NPI identifies a person's financial relationship with a financial institution. The overlap is significant, but GLBA imposes specific requirements that general PII laws don't cover:

• Privacy notices: Financial institutions must provide annual privacy notices explaining what NPI they collect, how they share it, and how consumers can opt out
• Safeguards Rule: Requires a written information security plan with designated personnel, risk assessments, and vendor oversight
• Pretexting protection: Prohibits obtaining NPI through deception or false pretenses

The FTC's updated Safeguards Rule (effective June 2023) significantly tightened NPI protection requirements. It now mandates encryption of NPI both at rest and in transit, multi-factor authentication for anyone accessing NPI, and continuous monitoring of information systems. Organizations that handle financial data but don't consider themselves "financial institutions" should review the GLBA's broad definition, which includes mortgage brokers, tax preparers, debt collectors, and financial advisors.

What Is PCI Data and How Is PCI DSS Different from Other Frameworks?

PCI data refers to payment card information governed by the Payment Card Industry Data Security Standard (PCI DSS). Unlike HIPAA or GLBA (both federal laws), PCI DSS is an industry-mandated standard created by the PCI Security Standards Council, founded by Visa, Mastercard, American Express, Discover, and JCB.

PCI data falls into two categories. Cardholder data covers the primary account number (PAN), cardholder name, expiration date, and service code. Sensitive authentication data covers full magnetic stripe data, CVV/CVC codes, and PINs. Sensitive authentication data must never be stored after authorization, even if encrypted.

PCI DSS Compliance Levels

PCI DSS version 4.0.1, released in 2024, introduced 64 new requirements. Non-compliance penalties range from $5,000 to $100,000 per month, levied by the payment card brands through the acquiring bank. Unlike HIPAA, there's no government enforcement body. Penalties flow through contractual relationships between merchants, banks, and card brands.

How Does One Record Fall Under Multiple Data Categories?

Real-world data rarely fits neatly into one box. A single database record can simultaneously qualify as PII, PHI, NPI, and PCI, requiring compliance with multiple frameworks at once.

Consider a hospital billing system. A patient's record might contain their name and SSN (PII), diagnosis codes and treatment history (PHI), health insurance payment information (NPI under GLBA if processed by a financial entity), and the credit card used for a copay (PCI). One record. Four regulatory frameworks. Four sets of requirements.

Overlap Scenarios and Governing Rules

• SSN in a hospital record: Both PII and PHI. HIPAA rules apply because of the healthcare context, plus any applicable state PII breach notification laws.
• Credit card stored by a health plan: Both PCI and PHI. Must comply with PCI DSS for the card data and HIPAA for the health plan enrollment data.
• Bank customer's health insurance information: Both NPI and PHI. GLBA governs the financial relationship; HIPAA governs the health data if the bank is acting as a health plan administrator.
• Face captured on a hospital security camera: Both PII (biometric data) and PHI (if associated with a patient visit). Must be protected under HIPAA and potentially state biometric privacy laws.

When data falls under multiple frameworks, the strictest applicable standard should govern protection measures. This "highest common denominator" approach ensures compliance with all applicable regulations without creating conflicting controls.

Side-by-Side Comparison of PII, PHI, NPI, and PCI

How Should Organizations Build a Unified Data Protection Strategy?

Most organizations store at least two of these four data types. Many store all four. Building separate compliance programs for each framework creates redundancy, increases cost, and leaves gaps where data crosses categories.

A unified approach starts with data classification. Before you can protect data, you need to know what you have and where it lives. Automated data discovery tools scan databases, file shares, email systems, and even video repositories to identify and tag PII, PHI, NPI, and PCI data elements.

Five Steps to Unified Sensitive Data Protection

1. Map your data landscape: Inventory every system that stores, processes, or transmits sensitive data. Include databases, cloud storage, email archives, surveillance systems, and backup tapes.
2. Classify by regulatory category: Tag each data element with its applicable frameworks (PII, PHI, NPI, PCI, or combinations). Automated classification tools reduce the manual burden significantly.
3. Apply the strictest applicable control: When data falls under multiple frameworks, implement the most stringent requirement. AES-256 encryption satisfies PII, PHI, NPI, and PCI encryption requirements simultaneously.
4. Implement role-based access controls (RBAC): Limit access to sensitive data based on job function. This principle applies across all four frameworks and reduces your attack surface.
5. Establish a unified breach response plan: Map out notification timelines for each data type. When a breach involves multiple categories, the shortest deadline governs.

Organizations processing video surveillance footage face an additional challenge. Camera feeds capture faces, license plates, and sometimes medical or financial documents visible in frame. Any organization operating security cameras in healthcare facilities, financial institutions, or public spaces should include video data in their classification exercise.

Why Visual Data Creates New PII and PHI Risks

Traditional data protection focused on structured databases: rows and columns containing names, numbers, and addresses. The expansion of video surveillance, body cameras, and real-time analytics has introduced unstructured visual PII at a scale most compliance programs weren't designed to handle.

A single surveillance camera in a hospital lobby captures patient faces (PHI when linked to a visit), visitor faces (PII), employee badge numbers (PII), and potentially documents or screens displaying protected information. Under GDPR, the European Data Protection Board has explicitly stated that video surveillance constitutes personal data processing, requiring a legal basis, purpose limitation, and data minimization.

In the US, Illinois' BIPA requires informed consent before collecting biometric identifiers like facial geometry, with statutory damages of $1,000 to $5,000 per violation. The 2023 BIPA amendment clarified that each collection from the same person counts as a single violation rather than per-scan, but the financial exposure remains significant for organizations operating hundreds of cameras.

VIDIZMO addresses visual PII at multiple levels. AI LiveSight Analytics processes live camera feeds for real-time detection of faces, license plates, and objects, while maintaining data isolation through on-premises deployment that keeps video data within the organization's own infrastructure. For organizations that need to redact PII from recorded footage before public release or FOIA response, VIDIZMO Redactor automatically detects and redacts 40+ PII types across video, audio, images, and documents, including faces, license plates, SSNs, and medical record numbers visible in frame. Together, privacy-aware collection and automated redaction help organizations comply with HIPAA, CCPA, BIPA, and GDPR requirements simultaneously.

How VIDIZMO Supports Multi-Framework Compliance

Organizations processing visual data alongside traditional structured PII need platforms built with multi-framework compliance in mind. VIDIZMO is ISO/IEC 27001:2022 certified and supports HIPAA-compliant deployments, CJIS-compliant deployments on Azure Government, and GDPR and CCPA data subject rights requirements. Deployment options include on-premises, Azure Government Cloud, hybrid, and air-gapped environments, giving organizations control over where sensitive data resides.

For PII and PHI protection specifically, the platform provides AES-256 encryption at rest, TLS 1.2 in transit, RBAC with SSO and MFA, and audit logging that records user ID, IP address, timestamp, and action for every data access event. AI models don't train on customer data by default, and fine-tuned models remain isolated to each customer's environment.

Frequently Asked Questions

Are PHI and PII the same thing?

No. PHI is a subset of PII that specifically involves health information combined with one of HIPAA's 18 identifiers. All PHI contains PII elements, but most PII is not PHI. Your email address is PII, but it only becomes PHI when linked to your medical records, treatment information, or health plan enrollment at a HIPAA-covered entity.

Is a Social Security number PII or PHI?

A Social Security number is always PII. It becomes PHI when it appears in a healthcare context, such as a hospital patient record or health insurance claim. It can also qualify as NPI when collected by a financial institution under the Gramm-Leach-Bliley Act. The same data element can carry multiple classifications depending on the context in which it's collected and used.

What are the 18 identifiers that make health data PHI?

HIPAA defines 18 identifiers that, when combined with health information, create PHI. These include names, geographic data smaller than a state, dates (except year), phone and fax numbers, email addresses, SSNs, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number or code.

How does PCI data differ from NPI in financial services?

PCI data specifically covers payment card information (card numbers, CVVs, expiration dates) and is governed by the PCI DSS industry standard. NPI covers all non-public personal financial information collected by financial institutions under the GLBA, including account balances, transaction histories, and loan details. A customer's credit card number is PCI data; their overall account balance and investment portfolio details are NPI. Both require protection, but under different frameworks.

Does video surveillance footage count as PII?

Yes, in most regulatory contexts. Video footage that captures identifiable individuals (faces, license plates, badge numbers) qualifies as PII under GDPR, CCPA, and state biometric privacy laws like Illinois' BIPA. In healthcare facilities, surveillance footage associated with patient visits can also qualify as PHI under HIPAA. Organizations operating video analytics should include camera data in their PII classification and protection programs.

What happens when a data breach involves multiple data types?

When a breach exposes data falling under multiple frameworks (for example, a hospital database containing PHI, PII, and PCI data), the organization must comply with the notification requirements of every applicable regulation. The shortest deadline takes priority. HIPAA requires notification within 60 days, PCI DSS requires immediate notification to the acquiring bank, and state PII laws vary from 30 to 90 days. In practice, the organization should notify all parties within the shortest applicable window.

Can an organization use one security framework to comply with all four data types?

No single framework covers all four. However, organizations can build a unified security program using NIST Cybersecurity Framework or ISO 27001 as a baseline, then mapping additional requirements from HIPAA, GLBA, and PCI DSS as overlays. This approach avoids duplicate controls while ensuring that specific requirements (like PCI DSS's prohibition on storing sensitive authentication data or HIPAA's BAA requirements) aren't missed.

Protecting PII, PHI, NPI, and PCI data starts with understanding what you have and which regulations apply. For organizations managing video data alongside traditional databases, the classification challenge grows with unstructured visual information that cameras capture continuously. The right platform handles data classification, access controls, encryption, and audit logging across all data types within a single environment.

Request a demo to see how VIDIZMO handles sensitive data protection across video, audio, and document workflows.