What is the difference between PII, PHI, and personal data?
PII, PHI, and personal data all describe information tied to an individual, but they come from different legal and professional traditions and carry different obligations. Understanding the distinctions helps records and information governance teams classify, protect, and dispose of sensitive holdings correctly.
PII (Personally Identifiable Information)
PII is the most familiar U.S. term. It generally refers to any information that can be used to identify a specific person, either on its own or when combined with other data. Common examples include name, address, Social Security number, date of birth, and account or device identifiers.
PII is a broad, context-driven concept rather than a single fixed list. Some elements (such as a government ID number) are identifying on their own, while others (such as a ZIP code) become identifying only in combination. U.S. federal handling of records about individuals is shaped in large part by the Privacy Act of 1974.
PHI (Protected Health Information)
PHI is a narrower, regulated subset focused on health. In the U.S. it is defined under health-privacy rules and covers individually identifiable health information held or transmitted by covered entities and their business associates, such as providers, health plans, and clearinghouses.
In short: PHI is health-related PII that falls under a specific regulatory regime. Information becomes PHI because of who holds it and what it concerns, not merely because it relates to a person.
Personal Data
“Personal data” is the term used in many international and modern privacy frameworks. It is typically defined very broadly as any information relating to an identified or identifiable person. This often sweeps in more than traditional PII, including online identifiers, location data, and inferred characteristics.
How They Relate
- PII — broad U.S. concept; information that identifies a person.
- PHI — a regulated, health-specific subset of identifiable information.
- Personal data — the broadest, internationally oriented framing.
The categories overlap heavily, and a single record may qualify as more than one. Programs should map applicable laws to their holdings rather than assume one label fits all. For more guidance, see the privacy and PII topic hub.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- Privacy Act of 1974 — U.S. Department of Justice
How to cite this page
APA
RM University Editorial. (2026). What is the difference between PII, PHI, and personal data?. Records Management University. https://www.recordsmgmt.org/questions/difference-between-pii-phi-and-personal-data/
MLA
RM University Editorial. "What is the difference between PII, PHI, and personal data?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/difference-between-pii-phi-and-personal-data/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?