One type of personal data we should be concerned with keeping secure is Protected Health Information or PHI. PHI is defined in the Privacy Rule section of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as “"individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral” (U.S. Department of Health & Human Services). While HIPAA was enacted to address the protection of PHI, it falls short of this task because there are no measures to proactively ensure entities are abiding by its guidelines, the penalties are subjective and fail to inflict enough punishment on entities for data breaches and it puts the onus on the individual to report the exposure of their personal data.
With the electronic age upon us data is more and more readily available to anyone with a PC, smart phone or other computer device. The internet has become the information center for just about anything. As companies develop websites to provide access to various types of data from financial to sales to medical they are also storing much of this data within their own data centers or with companies that lease computing space. Along with the increase of information availability the risk of exposing confidential or personal data increases.
PHI is stored in various databases in doctor’s offices, hospitals, diagnostic clinics, health care insurers and clearing houses that manage data on behalf of smaller businesses. This data is managed by numerous individuals that access the data by virtue of performing the duties of their jobs. In doctor’s offices and hospitals, large numbers of individuals access data in order to manage a person’s health matters. Healthcare insurers and clearing houses manage the data for claim payment, reporting and trending of healthcare related issues. Behind the scenes, inside these computers housing the data, there are complex programs that manipulate, format and update the data. As you can see there are many avenues for PHI to be exposed.
PHI is transmitted from one office to another, to another business or to individuals requesting their own records. During this transmission there are vulnerabilities in computer networks, personal computers or hand held devices and datacenters that house the data. As technology progresses and ‘cloud’ computing becomes more prevalent there will be even less control over who houses your data and how it is transmitted.
As a measure to ensure the security and confidentiality of personal data, and more specifically PHI, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted on August 21, 1996. “The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires a system of health care information exchanges by computers and through computer clearinghouses and data networks by February 1998. HIPAA also requires that Congress enact privacy protection...