The One PII/PHI Data Point No One is Discussing

In a February 2024 discussion of the differences and similarities between personally identifiable information (PII) and protected health information (PHI), I published an exhaustive list of types of PII, some of which are also PHI.

• Social Security Number. 
• Passport number.
• Driver’s license number.
• Taxpayer identification number.
• Patient identification number.
• Financial account number.
• Credit card number.
• Personal address.
• Personal telephone number.
• Photographic image of a face.
• X-rays.
• Fingerprints.
• Retina scan.
• Voice signature.
• Facial geometry.
• Date of birth.
• Place of birth.
• Race.
• Religion.
• Geographical indicators.
• Employment information.
• Medical information.
• Education information.
• Financial information.

Looks complete to you, doesn’t it? Well, it isn’t. To, um, identify the missing bit of information that is both PII and PHI, take a look at this LinkedIn post from Jack Appleby. (Thanks to packaging expert Mark Wilson for bringing this post to my attention.)

“A dream brand just sent me a gift package & invite… but they broke the two most important rules of influencer gifting…

“The package was a ridiculously cool collab hoodie + an invite to an event I’ve wanted to go to since I was just a little kid… but the hoodie is a medium… and I’m an XL… and my name was spelled wrong on the invitation.”

And no, I’m not talking about Jack Appleby’s name.

I’M TALKING ABOUT HIS HOODIE SIZE.

And yes, hoodie size in combination with other information is both PII (personally identifiable information) and PHI (protected health information). If your hoodie size is XXL, but your height is only 5’1”…that has some health implications.

Yet at the same time it’s also vital business information. It’s collected from prospects and new employees at trade shows and during employee onboarding. And as Appleby’s example shows, there are potentially severe consequences if you get it wrong.

But does your favorite compliance framework include specific and explicit clauses addressing hoodie size? I bet it doesn’t. And that could be a huge privacy hole.

(The hoodie in my selfie is from my 2022-2023 employer. And yes I still wear it. But I got rid of my IDEMIA, MorphoTrak, Motorola, and Printrak attire.)