Personally Identifiable Information (PII) and Protected Health Information (PHI)
What is Personally Identifiable Information and Protected Health Information?
Personally identifiable information is any information about an individual that can be used to distinguish or trace an individual’s identity, alone, or when combined with other information which is linked or linkable to a specific individual. Protected Health Information is individually identifiable health information held by a covered entity or by a business associate acting on its behalf, excluding certain educational and employment records covered by the Family Educational Rights and Privacy Act.
Examples of Personally Identifiable Information and Protected Health Information include:
- Name
- Social Security number
- Date and place of birth
- Mother’s maiden name
- Telephone number
- Driver’s license number
- Credit card number
- Photograph
- Fingerprints
- Biometric records
- Education
- Financial transactions
- Medical history
- Criminal or employment history
- Medical test results
- Appointment schedules
What are the Risks if Personally Identifiable Information is Misused?
The individual whose PII was misused may experience some degree of adverse effects. Depending on the type of information involved, an individual may suffer social, economic, or physical harm resulting in potential loss of life, loss of livelihood, or inappropriate physical detention. Information lost may be exploited by an identity thief, and the individual may suffer from a loss of money, damage to credit, a compromise of medical records, threats, and/or harassment. The individual may also suffer tremendous losses of time and money to address the damage, embarrassment, improper denial of government benefits, blackmail, and discrimination.
Likewise, organizations may experience harm as a result of a loss of PII maintained by the organization. Harm may include administrative burden, remediation costs, financial losses, loss of public reputation and public trust, and legal liability.
How will I Know if an Incident has Possibly Occurred That Resulted in a Significant Compromise of my Personally Identifiable Information?
If VA suspects your Personally Identifiable Information has been significantly compromised, you will be notified in writing. The notification will describe the specific data involved, the facts and circumstances surrounding the incident, the protective actions VA is taking or you can take to mitigate against potential future harm, as well as a point of contact for more information.
What do I do if I Receive a Letter from VA That My Personally Identifiable Information Has Been or May Have Been Compromised?
If you receive a notification from VA that there has been an actual or suspected compromise of your personal information, directly contact the office sending the letter. Note that you should never give out your personal information, such as a Social Security Number or financial account number over the phone unless you are certain that you are speaking with an official VA representative. If you have any concerns over the authenticity of such a notice, contact the specific privacy office to verify.