Protecting PII (Personal Identifiable Information) & PHI (Protected Health Information)

How to protect (PII) and (PHI)?

Essay, 2019

12 Pages



PHI & PII Protection


List of tables



Policies, Procedures and Proper Documentation
Policies and Procedures
Other documentation required

Awareness, Training, and Education

Security Controls

Incident Response Plan


Author Recommendations


List of tables

Table 1 - Policies Important for protecting PII & PHI

Table 2 – examples of Security Controls List

Table 3 - Benefits of being ISO Certified

Table 4 - General Author’s recommendation


PII is Personal Identifiable Information is the information that can be used on its own or with other information to identify, contact, or locate a single person and it is maintained by the information technology department of any organization. An example of PII is data like names, place or date of birth, email address, National ID, Passport Number, employment information finical or medical records, etc. Likewise, PHI has Protected health information according to HIPA is any health information whether oral or recorded in any form of media which is created or received by a health care provider, public health authority, employer, life insurer or hospital.

PII and PHI are different from any kind of data as it should be collected, maintained and disseminated according to fair information practice which is the base of Laws and regulations. In this article, we will discuss what is needed to make your organization able to handle securely and according to privacy laws. Furthermore, it will help in understanding the basic concepts of industry standards like HIPAA Security rule.


McCallister et al. (2010) state in the NIST publications that organizations should maintain personal identification information (PII) data in all its stages within the organizations (e.g. collecting, maintaining and destructing) according to Fair Information Practices (Privacy Principles). The difference between PII data and other types of data that it should be not only protected but their treatment should be according to privacy law in the nation. For example, Fair Information Practices are the building blocks to the privacy laws in US. The fair information practice was established by Organizations of Economic Co-operations and Developments (OECD) and it includes principle like a limitation of the collection, limitation use, data quality, etc. On the other hand, protected healthcare information (PHI) is health-related information that is treated by any entity in the healthcare industry. Scholl et al. (2008) state that an organization must show due care and due diligence in protecting PHI. Health Insurance Portability and Accountability Act (HIPAA) Security rule is a law that provides data privacy and security to medical and health information (Rouse, 2019). HIPPA main goal is to ensure confidentiality, integrity and availability of the PHI. Furthermore, it protects PHI against not permitted use or disclosure of PHI (Scholl et al, 2008). According to NIST, PHI and PII level of protection are determined with respect to their confidentiality Impact level. These impact levels are low, moderate and high which are determined based on the potential harm that could result to the subject individuals and/or the organization if PII or PHI were inappropriately accessed, used, or disclosed.

Due care and Due diligence will be proved in protecting PII and PHI by ensuring the implementations, operations and monitoring the following:

- Policies, Procedures and Documentation.
- Awareness, training and educations
- Technical security controls
- Incidence response
- Audits

Policies, Procedures and Proper Documentation.

Policies and Procedures

Organizations should develop, implement, maintain and monitor comprehensive policies and procedure for handling PII and PHI in the organization level, Program or component level and system level (McCallister et al., 2010; Scholl et al, 2008). Below is a sample of policies that are used to protect PHI and PII and its role.

Abbildung in dieser Leseprobe nicht enthalten

Table 1 - Policies Important for protecting PII & PHI

Other documentation required.

Security Baseline is an example of documents that works as a guide in implementing the minimum level of security on the related subject or technology (Livingston, 2000). For example, the baseline for Systems that are involved with PHI & PII handling (e.g. Server and PC) should be established, followed.


- Security Baseline for PC and Laptop that are required to access the PHI & PII.
- Security Baseline for Servers (e.g. Active Directory, Exchange mailbox, SQL Server, etc.)

The benefits of having these documents are to have a minimum level of test security controls applied to the server and clients sides. These documents support the Information Security Policy and administrators and users are forced to follow it when handling PHI & PII.

Awareness, Training, and Education

NIST has guidelines for the establishment of the Information Technology Security Awareness and Training Program (NIST 800-50). It should be focused on the attention on the protection of PII and PHI. Different staff across Organizations should have periodic evaluated awareness campaigns methods which include:

- New scams that are used to steal identities.
- Providing updates on privacy items in the news (e.g. government data breach and their impact on the individual).
- How staff members are accountable for inappropriate actions with examples  recommended good privacy practice.
- PII definition, How to handle it? And Retention schedule.

The goal is to build Knowledge and skills that enable Organizations IT departments to protect PII and PHI (Wilson and Hash, 2003).

Security Controls

These kinds of controls are required to protect the confidentiality of PII and PHI. Most of the known NIST Publication (800 - 53). This Publication enables the minimum required controls to protect information systems that are handling sensitive information (e.g. PII & PHI) that handle information in rest or in motion. This controls might be technical or administrative or physicals NIST SP (800-53) provides a catalogue of privacy and security controls, besides, continues organizational risk assessments (See Table 2, Page 7) that will help in selection and improvement of these controls (Joint Task Force, 2017). In the following tables, we will list examples of these controls that are mandatory to prove due care and due diligence.

Abbildung in dieser Leseprobe nicht enthalten

Table 2 – examples of Security Controls List

Incident Response Plan

Organizations must develop IT Security Incident reporting response (See Table 1, page 5). It will asset organization in risk mitigation by guiding them in responding effectively and efficiently incidents. By implementing these plan, due care and due diligence will be shown by which incidents will be identified, analyzed, prioritized and handled (Cichonski et al, 2012). According to incident response, IT departments should create an Incident team internally or externally outsourced (e.g. Dell SecureWorks, EY, etc.).


Excerpt out of 12 pages


Protecting PII (Personal Identifiable Information) & PHI (Protected Health Information)
How to protect (PII) and (PHI)?
Catalog Number
ISBN (eBook)
ISBN (Book)
This is Not Submitted to my University. However, I wrote this essay based on my professional and academic experience committed to all academic standard and format.
protecting, personal, identifiable, information, protected, health, PII, PHI
Quote paper
Haitham Ismail (Author), 2019, Protecting PII (Personal Identifiable Information) & PHI (Protected Health Information), Munich, GRIN Verlag,


  • No comments yet.
Read the ebook
Title: Protecting PII (Personal Identifiable Information) & PHI (Protected Health Information)

Upload papers

Your term paper / thesis:

- Publication as eBook and book
- High royalties for the sales
- Completely free - with ISBN
- It only takes five minutes
- Every paper finds readers

Publish now - it's free