The Ponemon Institute released a report in September 2014 indicating that 43% of companies had experienced a data breach in the past year and that was an increase in 10% over the prior year. It’s not a matter of if your company will be attacked, it’s when it will happen. According to the report, the magnitude of the breaches is increasing and more than 80% of the breaches were caused by employee negligence.
I do believe that we will see a flood of lawsuits pertaining to PHI data breaches and with the stringent HIPAA laws in place, medical practices and the associated industry can expect to pay exorbitant penalties.
Companies need to protect PII, PHI and PCI from both internal and external threats and should retain only information that is crucial to the operation of the business and what is legally required if their data is breached.
Personally Identifiable Information (PII) is information that can be used to identify on its own or in conjunction with other information a single person. The National Institute of Standards and Technology (NIST) Special Publication 800-122 defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records, and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” So, for example, a user’s IP address as used in a communication exchange is classified as PII regardless of whether it may or may not on its own be able to uniquely identify a person.
Protected Health Information (as defined by HIPAA.COM) means any information, whether oral or recorded in any form or medium, that –
The passage of the HITECH Act increased penalties for information security negligence pertaining to PHI. The basis for the act requires organizations that handle PHI meet a baseline criteria for protection of data in transit, in use, at rest and when disposed. The HITECH Act is noteworthy because it provides definition around the protection of PHI and puts an emphasis on the encryption of PHI.
The penalties for HIPAA violations and data breaches of PII, PCI and PHI can be devastating to any organization and companies should not spare any expenses with regards to HIPAA compliance training and the securing of networks and data.