PII vs NPI: Key Differences Every Compliance Team Should Know

Sensitive data doesn't arrive in neat regulatory buckets. A single customer record can carry a name, a Social Security number, a clinical note, and a credit card, and each element falls under a different law. Compliance teams that treat all of it as "personal data" tend to over-protect what's cheap to expose and under-protect what triggers seven-figure penalties.

The acronyms most often confused are PII (personally identifiable information), PHI (protected health information), NPI (nonpublic personal information), and PCI data (payment card information). They overlap. But the regulations behind them, the penalty regimes, and the technical safeguards each one requires are distinct.

This guide explains the differences in plain language, walks through how the same record can trigger four frameworks at once, and shows how to build a unified data protection strategy that doesn't fall apart the first time auditors ask which control maps to which rule.

Key Takeaways

• PII is the broadest category: any data that can identify a person, governed by a patchwork of state and federal laws including CCPA, GDPR, and NIST SP 800-122.
• PHI is a HIPAA-specific subset of PII that combines health information with one of 18 defined identifiers. Penalties reach up to $2.13 million per violation category per year.
• NPI is governed by the Gramm-Leach-Bliley Act (GLBA) and applies to financial institutions, covering data tied to financial transactions, account numbers, and credit histories.
• PCI data is governed by a contractual standard, not a federal law. PCI DSS is enforced by payment card brands through acquiring banks, with monthly penalties of $5,000 to $100,000.
• One record can fall under all four frameworks at once. A hospital's patient billing file with a credit card and a brokerage account is PII, PHI, PCI, and NPI simultaneously.
• AES-256 encryption satisfies the encryption controls of all four regimes, which is why a unified security baseline is more efficient than four siloed programs.

What Is PII and Why Does It Cover More Than You Think?

Personally identifiable information (PII) is any data that can be used, alone or in combination, to identify a specific individual. The most cited definition comes from NIST Special Publication 800-122, which splits PII into direct identifiers (name, Social Security number, biometrics) and indirect identifiers (ZIP code, date of birth, gender) that become identifying when combined.

What surprises most compliance teams is how wide the modern definition has grown. Under the California Consumer Privacy Act (CCPA), IP addresses, browsing history, geolocation, and even inferences drawn about a consumer's behavior count as personal information. The EU's General Data Protection Regulation (GDPR) goes further by treating online identifiers, device fingerprints, and biometric templates as personal data by default.

There is no single federal PII law in the United States. Instead, organizations navigate a patchwork: sectoral laws (HIPAA for health, GLBA for finance, FERPA for education), state privacy acts (California, Virginia, Colorado, Texas, and a dozen more), and breach-notification rules in all 50 states. From what we've seen, the common mistake is assuming that "encrypted at rest" alone satisfies every jurisdiction. It doesn't. State laws diverge sharply on consent, deletion rights, and the definition of "sensitive PII."

For PII breaches, the Federal Trade Commission (FTC) has levied penalties exceeding $500 million in high-profile cases, but enforcement is less systematic than HIPAA's structured penalty tiers. The point isn't that PII is the lightest category. It's that PII enforcement is unpredictable, which makes risk modelling harder, not easier.

Common Examples of PII

• Full name, mailing address, phone number, email
• Social Security number, driver's license, passport number
• Biometric identifiers: facial geometry, fingerprints, voiceprints, iris scans
• Vehicle identifiers (license plates, VINs)
• IP addresses, device IDs, advertising IDs (under CCPA and GDPR)
• Geolocation precise enough to identify a household

What Is PHI and How Does It Differ from PII?

Protected health information (PHI) is a HIPAA-specific subset of PII. It's any information about health status, healthcare provision, or healthcare payment that includes one of HIPAA's 18 specified identifiers. The list of identifiers is set by the HIPAA Privacy Rule (45 CFR 164.514) and includes name, geographic data smaller than a state, dates tied to an individual, phone, fax, email, Social Security number, medical record number, and full-face photographs, among others.

The critical distinction: not all PII is PHI, but most PHI is also PII. A patient's name on a hospital admission record is PHI. The same name on a marketing newsletter list is just PII. Context matters more than the data point itself.

PHI is regulated under the HIPAA Privacy Rule and the HIPAA Security Rule (45 CFR 164.312, Technical Safeguards). Covered entities include healthcare providers, health plans, and clearinghouses. Business associates, which include any vendor that touches PHI on behalf of a covered entity, are equally on the hook.

Penalties under HIPAA are tiered by culpability and adjusted annually for inflation. As of 2024, civil monetary penalties range from $137 per violation (no knowledge tier) up to $71,162 per violation (willful neglect), with an annual cap of $2.13 million per violation category. The largest HIPAA settlements have exceeded $10 million. Anthem's 2018 settlement reached $16 million, and Premera Blue Cross paid $6.85 million in 2020.

One thing worth flagging: HIPAA enforcement has moved heavily toward audit findings rather than just breach response. Since 2024, the Office for Civil Rights has issued penalties for risk-assessment gaps even when no breach occurred.

How Do PII and PHI Penalties Compare?

PHI penalties are formula-driven and predictable. PII penalties are case-driven and discretionary. That difference shapes how compliance budgets should be allocated. We've worked with hospital systems that under-invested in PII (marketing data, employee records) because they assumed HIPAA covered everything. It does not. State privacy laws, FTC actions, and class-action exposure can dwarf a typical HIPAA fine.

In the US, Illinois' Biometric Information Privacy Act (BIPA) requires informed consent before collecting biometric identifiers like facial geometry, with statutory damages of $1,000 to $5,000 per violation. Multiply that by a database of 50,000 facial templates and the exposure dwarfs most HIPAA cases. Facebook settled BIPA litigation for $650 million in 2021.

What Is NPI and Which Regulation Governs It?

Nonpublic personal information (NPI) is the financial-sector cousin of PHI. The term comes from the Gramm-Leach-Bliley Act (GLBA), passed in 1999, which regulates how financial institutions handle customer information. NPI covers any personally identifiable financial information that a financial institution collects in connection with providing a financial product or service, and that is not publicly available.

That definition reads broader than it actually is. NPI specifically covers:

• Account numbers and balances
• Credit history and credit scores
• Income, assets, and net worth
• Transaction history
• Information from loan or insurance applications
• Any list of customers derived from NPI (a "customer list" of brokerage clients is NPI even if it's just names)

GLBA has two main implementing rules. The Privacy Rule governs how institutions disclose NPI to third parties and requires annual privacy notices. The Safeguards Rule (16 CFR 314) mandates a written information security program with administrative, technical, and physical controls. The FTC's 2023 amendments to the Safeguards Rule added specific requirements: a qualified individual to oversee the program, multi-factor authentication, encryption of NPI at rest and in transit, and continuous monitoring.

NPI penalties scale differently than HIPAA's. GLBA itself caps statutory penalties at $100,000 per violation for institutions and $10,000 per officer or director. But the real exposure is reputational, and reputational fallout often arrives through state insurance commissioners, banking regulators, and class-action suits. The 2017 Equifax breach exposed NPI on 147 million consumers and resulted in a $700 million combined federal and state settlement.

The part most teams overlook is GLBA's definition of "financial institution." It isn't limited to banks. Mortgage brokers, tax preparers, debt collectors, investment advisors, and even universities that issue Perkins loans are subject to GLBA. If your organization touches consumer financial data, you likely owe NPI obligations.

What Is PCI Data and How Is PCI DSS Different from Other Frameworks?

PCI data is payment card information: the primary account number (PAN), cardholder name, expiration date, service code, and sensitive authentication data such as the CVV, PIN, and full magnetic-stripe data. Protecting PCI data is governed by the Payment Card Industry Data Security Standard (PCI DSS), currently at version 4.0.1 with full compliance required by March 31, 2025.

The defining difference from PII, PHI, and NPI: PCI DSS isn't a law. It's a contractual standard maintained by the PCI Security Standards Council, a body founded by the five major card brands (Visa, Mastercard, American Express, Discover, JCB). Compliance is enforced through merchant contracts with acquiring banks, not through government regulators.

That changes the enforcement model. Non-compliance penalties range from $5,000 to $100,000 per month, levied by the payment card brands through the acquiring bank. Persistent non-compliance can result in higher transaction fees, increased reserves, or termination of card-processing privileges altogether. In a breach scenario, the merchant is also liable for forensic-investigation costs, card-replacement fees, and fraud losses, which often exceed the regulatory penalties by an order of magnitude.

PCI DSS organizes 12 high-level requirements into six control objectives: build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access controls, monitor and test networks, and maintain an information security policy. Encryption requirements are explicit. PANs must be rendered unreadable using strong cryptography (AES-128 minimum, AES-256 recommended).

How Does One Record Fall Under Multiple Data Categories?

This is where compliance teams get into trouble. The same data element can sit under two, three, or four frameworks simultaneously, and each framework imposes its own controls, retention rules, and breach-notification timelines.

Consider a hospital admissions file for a patient who paid with a credit card and listed a brokerage account as collateral for a payment plan:

• The patient's name and address: PII (CCPA, state privacy laws)
• The diagnosis and treatment notes: PHI (HIPAA)
• The credit card number used for payment: PCI data (PCI DSS)
• The brokerage account information: NPI (GLBA, since the hospital is collecting financial data in connection with extending credit)

One record, four regulators, four sets of controls. In practice, the way to manage this is to apply the strictest control any framework requires, then map that single control to all four. AES-256 encryption satisfies PII, PHI, NPI, and PCI encryption requirements simultaneously. Access logging that meets HIPAA's audit-trail requirement also satisfies PCI DSS Requirement 10 and GLBA Safeguards Rule monitoring.

The trap is fragmentation. We've seen organizations run separate HIPAA, PCI, and GLBA compliance programs out of separate teams, each maintaining a different encryption standard, a different audit-log retention period, and a different access-review cadence. The result is more cost, more risk, and more audit findings, not less.

Side-by-Side Comparison of PII, PHI, NPI, and PCI

How Should Organizations Build a Unified Data Protection Strategy?

The strongest compliance programs we've seen don't try to satisfy each framework in isolation. They build a single control baseline that meets the strictest requirement across all applicable frameworks, then map each control to multiple obligations.

A unified strategy has five practical layers:

1. Data discovery and classification. Before you can protect data, you have to know where it lives. Automated discovery tools should scan structured databases, file shares, email archives, video files, and unstructured stores. Each data element gets tagged: PII, PHI, NPI, PCI, or "sensitive PII" (a subset under several state laws).
2. Encryption everywhere. AES-256 encryption at rest, TLS 1.2 or higher in transit. This single control satisfies the encryption clauses in HIPAA Security Rule, PCI DSS Requirements 3 and 4, GLBA Safeguards Rule, and most state PII laws.
3. Role-based access control with audit logging. Every access event logged with user ID, timestamp, action, and source IP. Logs retained at least 6 years (HIPAA's retention minimum, which exceeds PCI DSS's 1-year hot/3-year archive requirement and GLBA's general expectation).
4. Vendor governance. Business associate agreements (BAAs) under HIPAA, service-provider contracts under GLBA, and PCI DSS Attestations of Compliance from any vendor touching card data. Maintain a single vendor inventory tagged with applicable frameworks.
5. Incident response and breach notification. A single incident response plan that triggers the right notification timeline based on data classification. Build the timeline matrix once, not four times.

The unifying insight: most compliance frameworks share more than 70% of their underlying controls. Encryption, access control, audit logging, vendor management, and incident response appear in every one. The differences are in scope and notification, not in the security primitives.

Why Visual Data Creates New PII and PHI Risks

Video and image data is the fastest-growing category of sensitive information, and it sits awkwardly across the four frameworks. A surveillance camera frame can capture a face (biometric PII), a license plate (PII), a hospital ID badge in the background (PHI), and a customer's credit card on a checkout counter (PCI), all in a single image.

Three trends since 2024 have pushed visual data to the top of compliance agendas:

• Biometric privacy laws. BIPA in Illinois, the Texas CUBI Act, Washington's HB 1493, and the EU AI Act all treat facial geometry as a regulated identifier requiring consent before capture.
• Body-worn camera mandates. Since 2024, more than 30 states have mandated body-worn cameras for at least some law enforcement agencies. Each minute of footage is potentially PII, and often PHI when officers respond to medical incidents.
• Public records release obligations. Freedom of Information Act (FOIA) and state public-records laws require government agencies to release responsive records, including video. Releasing unredacted video can violate every framework we've discussed.

The traditional response, frame-by-frame manual redaction, doesn't scale. A records clerk processing 200 public records requests per month can't manually blur faces and license plates in every video. AI-assisted redaction, which detects and tracks PII across frames, has become the practical solution in 2025 and 2026.

For surveillance footage, the same problem appears in real time. Cameras stream continuously, but only a fraction of the footage is operationally relevant. Filtering for the events that matter, while suppressing or redacting bystander PII, is now a baseline expectation in public-safety and smart-city deployments.

How VIDIZMO Supports Multi-Framework Compliance

VIDIZMO's platform is built for organizations that handle visual and document data across multiple regulatory regimes. VIDIZMO is ISO/IEC 27001:2022 certified and supports HIPAA-compliant deployments, CJIS-compliant deployments on Azure Government, and GDPR and CCPA data subject rights requirements.

Three components of the platform map directly to the controls discussed in this guide:

VIDIZMO Redactor automates the detection and redaction of PII, PHI, NPI, and PCI elements in video, audio, and documents. The system identifies faces, license plates, account numbers, document text, and other identifiers, then applies blur, mask, or audio-mute treatments with a full audit trail. For public records, legal discovery, and healthcare release-of-information workflows, this replaces manual frame-by-frame review.

The AI LiveSight Analytics layer attaches to existing camera infrastructure via RTSP or ONVIF, so organizations don't need to replace cameras to add detection and event-based recording. Pretrained models cover person, vehicle, license plate, weapon, and PPE detection. Fine-tuning happens in the customer's environment, with data isolated per tenant, satisfying both GLBA's data-segregation expectations and HIPAA's minimum-necessary principle.

Intelligence Hub handles the AI processing layer behind both products: 82 languages for transcription and captioning, multi-modal content understanding for documents, and natural-language search across video archives. Customer data doesn't train shared models by default, which addresses both privacy and contractual obligations to upstream data subjects.

Across the portfolio, the security baseline is consistent: AES-256 encryption at rest, TLS 1.2 in transit, role-based access control with single sign-on and multi-factor authentication, comprehensive audit logging, and deployment options across SaaS, dedicated cloud, on-premises, and air-gapped environments.

If your organization processes data that touches more than one of PII, PHI, NPI, or PCI, the value of a single platform with mapped controls compounds quickly. Audit cycles shorten, vendor governance simplifies, and the cost of demonstrating compliance to any one auditor drops because the evidence is already in place for the others.

Frequently Asked Questions

Is an NPI number considered PII?

The healthcare National Provider Identifier (NPI number) is a 10-digit identifier assigned to healthcare providers and is publicly available through the NPPES registry, so it isn't treated as PII or PHI on its own. The financial sector's NPI (nonpublic personal information under GLBA) is a different concept entirely and is always considered protected. Context matters: "NPI number" in healthcare conversations means the provider ID, while "NPI" in financial compliance conversations means GLBA-regulated customer financial data.

Is a national ID number considered PII?

Yes. A national ID number (such as a U.S. Social Security number, a UK National Insurance number, or a Canadian Social Insurance number) is considered a direct identifier under NIST SP 800-122 and is treated as sensitive PII under most state and federal frameworks. Disclosure of national ID numbers typically triggers breach-notification requirements in all 50 U.S. states. Strong encryption and tokenization are recommended whenever this category of identifier is stored or transmitted.

What are 5 examples of PII?

Five common examples of personally identifiable information are: (1) full name combined with date of birth, (2) Social Security number or other government-issued ID, (3) email address or phone number, (4) IP address or device identifier linked to an individual, and (5) biometric data such as facial geometry, fingerprints, or voiceprints. Under GDPR and CCPA, geolocation, browsing history, and behavioral inferences also count as PII when associated with an identifiable person.

What is the difference between PCI and NPI?

PCI data is payment card information governed by the PCI DSS contractual standard, enforced by card brands through acquiring banks. NPI (nonpublic personal information) is a broader category of financial data governed by the Gramm-Leach-Bliley Act (GLBA), enforced by federal and state regulators. A credit card number used at a retailer is PCI data; the same number stored as part of a brokerage account profile is also NPI under GLBA. PCI focuses narrowly on the payment transaction; NPI covers the customer relationship.

How do PII and PHI overlap?

PHI is a HIPAA-defined subset of PII. All PHI contains PII, because PHI must include at least one of HIPAA's 18 identifiers, all of which are also PII. However, not all PII is PHI. PII becomes PHI only when it is created, received, maintained, or transmitted by a covered entity (or business associate) in connection with healthcare. A patient's name on a hospital bill is PHI; the same name on a mailing list is just PII.

Which framework has the strictest encryption requirement?

PCI DSS v4.0.1 has the most explicit encryption requirement: AES-128 minimum, AES-256 recommended for the primary account number (PAN). HIPAA's Security Rule treats encryption as "addressable" rather than mandatory, but in practice AES-256 is the de facto standard for PHI. The GLBA Safeguards Rule (post-2023 amendments) explicitly requires encryption of customer information at rest and in transit. Implementing AES-256 across the board satisfies all four frameworks.

Do state privacy laws apply on top of HIPAA, GLBA, and PCI DSS?

Yes. State privacy laws (CCPA, Virginia's CDPA, Colorado's CPA, and others) generally apply in addition to federal sectoral laws, with some explicit carve-outs. For example, CCPA exempts data already covered by HIPAA or GLBA from most of its provisions, but doesn't exempt the entity. An organization can be both a HIPAA-covered entity and a CCPA-regulated business, depending on the data and the activity. Compliance programs need to map data to all applicable frameworks, not just the most obvious one.

What is the safest way to handle data that falls under multiple frameworks?

Apply the strictest control any framework requires, then map that control to all applicable obligations. AES-256 encryption, role-based access control with audit logging, multi-factor authentication, a 6-year audit-log retention window, and a single incident response plan with a notification-timeline matrix will satisfy the technical requirements of HIPAA, GLBA, PCI DSS, and most state PII laws simultaneously. Trying to maintain separate controls per framework increases cost and audit risk without reducing exposure.

You May Also Like

• How AI-Assisted Redaction Protects PII in Public Records Requests
• Building a Unified Compliance Program for Healthcare and Financial Data
• Why Biometric Privacy Laws Are Reshaping Surveillance Strategy in 2026
• HIPAA, CJIS, and FedRAMP: A Practical Guide to Multi-Framework Cloud Deployments
• Body-Worn Camera Footage as PHI: What Agencies Need to Know

Ready to map your data protection controls across PII, PHI, NPI, and PCI in a single platform? Request a demo to see how the platform supports multi-framework compliance for video, audio, and document data.