• Skip to primary navigation
  • Skip to main content
WinZip Enterprise Blog

WinZip Enterprise Blog

Protecting the world's most sensitive data for over 30 years.

  • Articles
    • Backup
    • Company News
    • Compression
    • Encryption
    • File Sharing
    • Security
  • Resources
  • Get a Quote
Blog Home > Security

HIPAA and PII: How they are connected 

WinZip Blog – September 22, 2022

The Health Insurance Portability and Accountability Act (HIPAA) provides national standards to improve efficiency and combat fraud in the medical industry. When it was first signed into law in 1996, the primary intention was to better regulate the health insurance industry.

However, HIPAA also made it possible for the Department of Health and Human Services (HSS) to set standards that protect the privacy of patient health information. In 2000 and 2003, respectively, HHS published the Privacy and Security Rules as HIPAA provisions.

The purpose of amending HIPAA to add the Security Rule and Privacy Rule was to better safeguard an individual’s health information as it is shared between healthcare providers, health plans, and other organizations. Under HIPPA, this information is known as protected health information or PHI.

Protected health information is a subset of personally identifiable information, or PII. While PHI and PII share common traits, they are not the same. Anything that directly or indirectly relates to an individual and makes it possible to determine their identity is PII.

On its own, PII does not constitute PHI and is not subject to HIPAA regulations. However, PII data that is created, collected, transmitted, or maintained by a covered entity is a different matter.

In this article, we will explore the connection between HIPAA, PII, and PHI, as well as strategies for keeping your organizational data HIPAA-compliant.

How PII impacts HIPAA compliance

Health information is anything that relates to past, present, and future health conditions. This includes both mental and physical health, as well as information related to provision of or payment for healthcare services.

HIPAA restricts the use and disclosure of health information that allows an individual to be identified. There are 18 identifiers HIPAA uses to denote PHI, such as account numbers, medical record numbers, and health insurance beneficiary numbers.

Other personally identifiable information, such as addresses and phone numbers, are not considered PHI. However, if the information is paired with any specific health information, the PII data falls under the umbrella of PHI and is protected under HIPAA.

The best way to understand the connection between HIPPA and PII is this: All protected health information contains personally identifiable data, but not all personally identifiable information contains protected health data.

Unauthorized access or misuse of PHI can have severe consequences for affected individuals as well as the organization responsible for protecting the data. Personal medical data is 10–15 times more valuable than credit card data.

This is because a single healthcare record could contain several types of personal information, including date of birth, financial details, address, and more. With all this sensitive information at hand, cybercriminals can commit identity theft, open credit cards in the individual’s name, and launder the PHI before selling it to other businesses.

Cybercriminals can even use PHI to receive medical care under the individual’s name. When this happens, the victim could be faced with medical debt for treatments they did not authorize or receive.

Safeguarding your organizational data

Healthcare-related companies must meet HIPAA’s requirements for data privacy and security. One component of this is data classification, which separates data by its type, sensitivity, and the risks associated with its compromise.

Both PHI and PII fall under the classification of restricted data. This means the information is highly sensitive and should be prioritized when developing data security controls. For example, organizations often encrypt their most sensitive data classifications to ensure that information is unusable to anyone without the correct encryption key.

Without adequate measures in place to protect PHI in datasets, a data breach could have consequences beyond the breach itself. Unencrypted PHI that is compromised in a breach must be reported to the affected individuals under HIPAA’s Breach Notification Rule.

Had the data been encrypted, the breach notification requirement would not apply. This is because HIPAA does not consider breaches of encrypted PHI to be reportable security incidents (except for circumstances where the key is also compromised).

To better understand why data breaches that expose PII are particularly damaging for healthcare organizations, consider these recent events:

  • SuperCare Health, a respiratory care provider, suffered a data breach in July 2021 that affected more than 318,000 individuals’ PII. According to a proposed class action lawsuit, the hacking incident occurred because the company failed to implement reasonable security measures.
    Specifically, the complaint alleges that the PHI and PII in the compromised files were not encrypted.

  • In February 2022, a debt collections agency experienced a ransomware attack that exposed more than 2 million patients’ data. Several class action lawsuits have already been filed against the company. The documents allege that Professional Finance Company (PFC) failed to properly secure its data. It is still not clear how many records were compromised in the attack, but it impacted 657 HIPPA-covered entities.

How WinZip Enterprise helps protect PII

In our current digital landscape where cybercriminals can breach 93% of company networks, safeguards such as data encryption are more important than ever. However, most companies are only encrypting data when it is at rest, leaving in-transit files vulnerable to interception.

WinZip® Enterprise is a powerful, customizable solution that offers simplified, file-level encryption wherever your files are. It encrypts files with AES encryption, ensuring that PII and PHI data is protected whether it is at rest or in transit. With centralized IT controls, you can customize your file sharing, backups, and security policies to fit your needs.

Discover how WinZip Enterprise helps organizations protect PII and stay HIPAA-compliant.

Related Articles
How healthcare cybersecurity services can help keep your organization compliant 
WinZip Blog - January 26, 2023
The importance of data security in healthcare 
WinZip Blog - January 19, 2023
What is the healthcare industry cybersecurity task force? 
WinZip Blog - January 12, 2023
Does your healthcare staff need a healthcare cybersecurity certification? 
WinZip Blog - January 5, 2023
Cybersecurity in the insurance industry: what you need to know 
WinZip Blog - December 8, 2022
What is the biggest threat to the security of healthcare data? 
WinZip Blog - December 1, 2022
What is File Security and What Does It Mean for Your Business? 
WinZip Blog - November 10, 2022
Cloud-based file sharing and data security: what you need to know 
WinZip Blog - October 20, 2022
What is HIPAA compliant cloud storage? 
WinZip Blog - October 6, 2022
Why is file security important at the enterprise level?
WinZip Blog - September 29, 2022
What is Data Anonymization?  
WinZip Blog - September 1, 2022
Secure Exchange: What It Is and Why It’s Important for Your Business 
WinZip Blog - August 18, 2022
Why Is Data Security So Important for Enterprises? 
WinZip Blog - August 11, 2022
The Importance of Data Classification for Data Security 
WinZip Blog - July 28, 2022
5 Cloud Storage Security Tips Every Company Should Follow 
WinZip Blog - July 21, 2022
3 Cloud Storage Security Risks That Make Companies Vulnerable
WinZip Blog - July 14, 2022

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Learn more about WinZip Enterprise today!

Get a Quote

Connect With Us

  • Facebook
  • Twitter
  • YouTube

Copyright ©2021 Corel Corporation. All Rights Reserved. WinZip is a Registered Trademark of Corel Corporation