Organizations are required by the Federal government to identify PII (Personally Identifiable Information) and PHI (Protected Health Information) in their businesses. Both PII and PHI must be handled securely by organizations, because any unlawful release of this sensitive info could be severely damaging for the person whose information was compromised and the entity accountable for sensitive data protection.

What’s PII?

Personally Identifiable Information, or PII, is any data that can be used to contact, locate or identify a specific individual, either by itself or combined with other sources. An individual’s financial, medical, educational or employment records can include PII.

Examples of PII- Data elements used to identify a person include:

• Personal Identification numbers (driver’s license, passport, credit card, social security)
• Name (includes full name, maiden name, mother’s maiden name, any aliases)
• Address info (street address, email, telephone numbers)
• Personal/biological traits—distinguishing features, fingerprints, x-rays, etc.

Protect your PII- As we have mentioned in past blogs, warn employees about sharing their SSNs, be hesitant before signing into public Wi-Fi, always be on the lookout for phishing scams, and seriously limit what you (and employees) share on the web and social media. Internally, restrict access to PII in your organization’s systems to only those individuals that require access.

What’s PHI?

Protected Health Information (PHI) refers to any information that relates to:

• The individual’s past, present or future physical or mental health or condition
• How much the individual receives in health care (provision of healthcare)
• The past, present or future payment for the provision of health care to the individual
• The individual’s identity or for which there is a reasonable basis to believe it can be used to identify the individual.
• Elements of PII listed above

The Health Insurance Portability and Accountability Act, or HIPAA as it is referred, has required certain security regulations be adopted for PHI purposes. PHI can be “data” (information listed above) that is either maintained or transmitted through a variety of mediums (speech, electronic, paper).

Protect your PHI- There are ways you can combat PHI security obstacles...

• Train employees on policies and procedures relating to HIPAA
• Know where PHI is collected, used, shared and transferred
• Keep documents that contain PHI well-concealed (not out on main reception desk, not on a computer that can be seen from the waiting room, etc.)
• Conduct an annual risk assessment to pinpoint any security gaps
• Make sure laptops and mobile devices are secure.
• Know when and to whom any PHI can be released.
• Destroy any PHI that is no longer needed- Paper records must be shredded, and electronic data must be deleted according to guidelines set forth by the Department of Health and Human Services (DHHS)
• If applicable, require those vendors that you work with that may have access to PHI (“Business Associates”) to attest to their compliance with HIPAA regulations.

Employers must provide notification to any individual whose information has been compromised. PII and PHI breaches have cost the healthcare industry $6.2 billion per year, according to a recent Cost of Data Breach study. The DHHS urges all businesses and individuals to comply with security regulations, and notify them if you experience anything suspicious with you or your employees’ PHI or PII.

Questions about PII and PHI? Reach out to me or any member of our Information Security Services Team.