← All posts

What Counts as PII? A Plain-English Guide for Regulated SMBs

April 17, 2026 · admin@myvaultmate.com

Personally identifiable information (PII) is any data that can identify a specific person — on its own or combined with other details. For regulated small and mid-sized businesses in healthcare, legal, and financial services, knowing exactly what counts as PII is the first step toward protecting it.

The two tiers of PII

Direct identifiers point to a person by themselves: Social Security numbers, passport and driver's-license numbers, payment card numbers, and medical record numbers. Indirect identifiers — date of birth, ZIP code, gender, employer — don't identify someone alone, but combine just a few and re-identification becomes trivial.

Sensitive categories that raise the stakes

  • Protected health information (PHI): diagnoses, treatment notes, insurance IDs — regulated under HIPAA.
  • Cardholder data: the primary account number (PAN) and related details — regulated under PCI DSS.
  • Financial identifiers: bank account and routing numbers.
  • Government IDs: SSNs and the equivalents that fuel identity theft.

Where PII actually lives

In practice, the riskiest PII isn't in your locked-down database — it's in the forgotten spreadsheet on a front-desk PC, the scanned intake form in a Downloads folder, or the email attachment synced to someone's personal OneDrive. This "shadow data" is invisible to most controls precisely because no one remembers it exists.

The takeaway

You can't protect what you can't see. A regular scan of every endpoint — local drives, cloud-synced folders, and external disks — turns an unknowable sprawl of PII into a prioritized, fixable list. That's the foundation every compliance framework is built on.