As promised in my introductory blog post, I will be writing a blog series exploring several issues regarding healthcare data breaches. Specifically, I will address the importance of proactively preventing them rather than reacting to them after the damage is done.
Who Needs PHI to Conduct Business?
Individually identifiable health information held or transmitted by a Covered Entity or Business Associate is protected under the HIPAA Privacy Rule and is formally called Protected Health Information (PHI).
PHI can be any record form or medium: electronic, paper, or oral. PHI can also include demographic information and relate to an individual’s past, present, or future physical or mental health or condition, the provision of healthcare to the individual, or the payment status for the provision of healthcare to the individual.
Individuals, organizations, and agencies that fall under the HIPAA definitions of a Covered Entity or a Business Associate must comply with the HIPAA/HITECH Rules in order to adequately protect the privacy and security of PHI while also providing individuals specific access to their PHI.