When it comes to resident data, two terms are often used interchangeably but actually mean very different things: PHI (Protected Health Information) and PII (Personally Identifiable Information).
For senior living executives, knowing the distinction is critical. Regulations, responsibilities, and risks vary depending on whether the data in question is PHI or PII. Here’s a clear breakdown.
What is PII?
Personally Identifiable Information (PII) refers to any information that can identify a specific individual, either on its own or when combined with other data.
Examples of PII include:
- Full name
- Mailing address
- Phone number
- Date of birth
- Email address
- Social Security number
Key point: PII is not specific to healthcare — it’s a broad data category that applies in every industry.
Regulations covering PII vary by geography:
- United States: State-level privacy laws (like CCPA/CPRA in California, or Colorado’s Privacy Act) set requirements for data collection, sharing, and consumer rights.
- European Union: The GDPR (General Data Protection Regulation) governs PII globally when it involves EU citizens.
For senior living communities, PII typically includes resident and family contact information, staff data, and basic resident records.
What is PHI?
Protected Health Information (PHI) is a special category of data defined by HIPAA (Health Insurance Portability and Accountability Act).
PHI is:
- Any individually identifiable health information created, received, or transmitted by a healthcare provider, health plan, or business associate,
- In any form (electronic, paper, verbal),
- Related to a person’s past, present, or future physical or mental health, healthcare services, or payment for healthcare.
Examples of PHI include:
- A resident’s diagnosis, medications, or treatment plan.
- Clinical notes and health assessments.
- Billing records tied to healthcare services.
- Location alerts if tied to a resident’s memory care status (e.g., “Jane Doe, memory care resident, left the property”).
PHI vs. PII: Key Differences
| Category |
PII |
PHI |
| Definition |
Data that can identify an individual. |
Health-related data tied to an identifiable individual. |
| Examples |
Name, address, phone, DOB. |
Diagnosis, medications, treatment history, resident alerts tied to care. |
| Regulations |
GDPR, CCPA/CPRA, other state/federal privacy laws. |
HIPAA (in the U.S.), plus state-level health privacy laws. |
| Who Must Comply |
Any business handling personal data. |
Covered entities (providers, plans) and their business associates. |
| Enforcement |
Data protection authorities, state AGs, FTC. |
U.S. Department of Health and Human Services (HHS) Office for Civil Rights. |
| Penalties |
Fines, lawsuits, reputational damage. |
Civil and criminal penalties, corrective action plans, loss of trust. |
Where Senior Living Communities Fit
Here’s where things can get tricky:
- Independent Living (IL): Usually only handles PII (names, addresses, contact info). HIPAA generally does not apply.
- Assisted Living (AL) and Memory Care (MC): Often handle both PII and some PHI (level of care, safety alerts, medication reminders). HIPAA may or may not apply depending on services offered.
- Skilled Nursing Facilities (SNFs): Almost always handle PHI. HIPAA applies, and any vendor dealing with PHI is a Business Associate.
👉 Rule of thumb: All PHI is PII, but not all PII is PHI.
Compliance Requirements: PHI vs. PII
For PII:
- Be transparent (privacy notices).
- Collect only what you need.
- Protect data with reasonable security safeguards.
- Allow consumers to access, correct, or delete data where required by law.
For PHI:
- Implement HIPAA’s administrative, technical, and physical safeguards.
- Ensure data encryption and strict access controls.
- Maintain audit logs of who accessed PHI.
- Sign Business Associate Agreements with vendors who handle PHI.
- Provide breach notifications as required by HIPAA.
Why This Matters for Resident Engagement Platforms
Resident engagement platforms like Quiltt often handle PII (resident names, emails, addresses). Depending on how the platform is used, they may also handle PHI (level of care, elopement alerts, health-related tracking).
That’s why it’s misleading for vendors to say they are “HIPAA compliant.” Instead:
- They should acknowledge when PHI is involved.
- They should be prepared to sign a Business Associate Agreement (BAA) when serving covered entities.
- They should adopt strong safeguards for all resident data, whether it’s PHI or PII.
Bottom Line for Senior Living Executives
- PII is about privacy in general. It applies everywhere, regardless of industry.
- PHI is about healthcare. It has stricter rules, applies only in specific contexts, and is regulated under HIPAA.
- In senior living, whether HIPAA applies depends on your community type and the data being processed.
When evaluating technology partners, ask:
- Do you understand the difference between PHI and PII?
- Do you protect both appropriately?
- Will you sign a BAA if PHI is involved?
At Quiltt, we’re clear about these distinctions. We don’t just say “HIPAA compliant.” We are HIPAA-capable, BAA-ready, and committed to protecting both PHI and PII to keep your residents, families, and staff safe and confident in the technology you deploy.
