PII, SPII, and PHI… Oh My!

It's been a while since my last blog post, so let’s have a quick heart-to-heart about data. No, not the “how fast is your internet” kind, but the stuff that can blow up in your face if you’re not careful: Personally Identifiable Information (PII), Sensitive PII (SPII), and Protected Health Information (PHI).

Most people think of HIPAA when they hear “data protection” and a mental picture of a nurse whispering behind a clipboard. But the truth is, this goes way beyond hospitals and insurance companies. If you're storing student records, managing financial data, or even a name + email combo in your system, you're part of the data protection party whether you like it or not.

• PII is your baseline: names, addresses, phone numbers, etc. Anything that can identify someone.
• Sensitive PII (SPII) takes it up a bit, think Social Security numbers, financial info, or a combo of data points that, if leaked, could hurt someone.
• PHI is a special kind of sensitive data, tied to health information and regulated by HIPAA. It only counts if it’s collected by or on behalf of a healthcare provider or related entity.

But here's the kicker: this kind of data shows up everywhere.

You might not run a hospital, but if you're in the education sector, you're sitting on a gold mine of student data that could qualify as PII or SPII, and sometimes even PHI (think student IEPs, mental health services, or health clinic visits).

• Have a student database with names, addresses, and dates of birth? That’s PII.
• Store scanned copies of student IDs or transcripts? Likely SPII.
• Offer onsite counseling or track immunization records? You just entered PHI territory.

Basically, you don’t have to be a healthcare provider or financial institution to have serious compliance responsibilities. Oh yeah, even Europe's GDPR has a say in it if you’re collecting info from someone in the EU. Fun...

If this info gets compromised, it’s not just a bad day at the office, it could lead to:

• Identity theft
• Financial fraud
• Breach notification requirements
• Loss of trust
• Fines (we’re talking six or seven digits depending on the industry)

And no, some generic "we care about your privacy" footer on your website or emails isn’t going to cut it.

I'm glad you asked. Here's a quick list to stay on top of your data protection game:

• Encrypt data at rest (on your devices and servers) and in motion (during transfer)
• Lock down access. Only those who need the data should be able to see it
• Use MFA and VPNs for remote access
• Educate your staff. Phishing is still the #1 way bad actors sneak in
• Audit your systems regularly. Don’t wait for a breach to find the holes
• Know your data. Map out what you’re collecting and whether it qualifies as PII, SPII, or PHI

If that list made your head spin a little? You’re not alone.

Whether you're a school, a business, a clinic, or something in between, the responsibility to protect your users' data is real. The risks are higher than ever, but so are the tools available to help you stay ahead of the game.

Need help sorting out what data you have and how to protect it? CGuilbert Technologies is here for that.  Shoot us a message before your next “security update” comes with a lawsuit attached. We promise we encrypt our emails… and our jokes.

Christian Guilbert

Chief Technology Simplifier

#TechTuesday