What is PII and PHI Security? Why is it Important?

Informed employees who are fully aware of the consequences of data breaches can reduce the risk of unauthorized use and disclosure of patient PHI/PII. PHI applies to HIPAA-covered entities that contain identifiable health information. Assuming that you can use them for the same purpose can lead to compliance issues for any healthcare business.

Each unique organization will have unique controls specific to their environment that delivers multi-layer protection – there is no same size fits all. In such cases, the IRB also approves a waiver of documentation of consent, and the investigators must obtain verbal authorization instead of a written authorization. The verbal consent/authorization must contain all the required elements of consent plus HIPAA Authorization. N-able’s N-hanced Services allow you to unlock the full potential of N-able products. Our tools and team of experts will guide you through onboarding, migration, provide health checks and offer… Information is one of our most precious resources and is the asset that powers and enables our business.

PII is information that can be used to uniquely identify, contact, or locate a single person. Personal information that is “de-identified” is not considered sensitive. Note that UMID numbers by themselves are not considered sensitive or personally identifiable information. While Social Security numbers are a type of PII, the legal requirements for protecting them are much more stringent than for other PII.

Social Security and credit card numbers should only be used for required and lawful reasons. If you must keep PII, you should have a retaining policy for written records to determine what PII should be kept, how to secure it, how long to keep it, and how to dispose of it securely if need be. One of the most effective PII security plans addresses physical breaches, electronic safety, employee training, and contractor and service providers.

For example, posting or sharing PHI online without the approval of the patient is a HIPAA violation. A patient at Northwestern Medicine Regional Medical Group , issuing for a breach of privacy in relation to her medical records while in the hospital. She accused a hospital employee of accessing her medical records and then posting them on Twitter about health care and procedures she received at MMRMG. The records consisted of very delicate information about emergency room visits, medications, medical history, and imaging results. This employee went a step further and told her patient’s ex, now her boyfriend told him about her patient’s PHI. Then NMRMG sent a letter to the patient acknowledging that inappropriate access to PHI had been released to the public.

Operating system for the device that you’re using and information about the browser you used when visiting the site. The operating system is software that directs a computer’s basic functions, like executing programs and managing storage. IP address (an IP or internet protocol address is a number that’s automatically assigned to a device connected to the internet).

Next, here is an example of a small company with a case study about HIPAA and social media disclosure of PHI. It has made communicating with each other a lot easier and more convenient over the internet. CMS.gov doesn’t collect name, contact information, or other similar information through these websites unless you choose to provide it. We do collect other, limited, non-personally identifiable information automatically from visitors who read, browse, and/or download information from our website.

Once the specified objective is achieved, the data will be retired or destroyed in accordance with published draft records schedules of CMS as approved by the National Archives and Records Administration. If you opt out of the tools used by CMS.gov via the Privacy Manager or by opting out of the tools directly, you’ll still have access to information and resources at CMS.gov. If you do answer these questions, don’t include any PII/PHI in your answers. We analyze and use the information from these surveys to improve the CMS.gov website. The information is available only to CMS managers, members of the CMS communications and web teams, and other designated federal staff and contractors who require this information to perform their duties. Improve our public education and outreach through digital advertising.

Share This