You don't need to search by name? As I understand the law, (which may be very incorrect) First and Last name, or other identifying information is what makes a record sensitive, under the law.
That is incorrect. Name combined with any number of those other pieces of information is what makes the record sensitive. The pieces by themselves is not considered sensitive.
Also, searching by TIN, is very useful when finding accounts.
What's wrong with name, address, phone number, account number, invoice number, PO number, support record number or the like?
If they have none of those, you really have no business pulling up the account for them. If they do have them, you don't need the index on the sensitive information.