HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

How to Secure Patient Information (PHI)

HIPAA requires healthcare organizations of all sizes to secure protected health information (PHI), but how can covered entities secure patient information? If you are asked how you secure patient information, could you provide an answer?

How Can You Secure Patient Information?

HIPAA requires healthcare organizations and their business associates to implement safeguards to ensure the confidentiality, integrity, and availability of PHI, although there is little detail provided on how to secure patient information in HIPAA regulations.

This is intentional, as the pace that technology is advancing is far greater than the speed at which HIPAA can be updated. If details were included, they would soon be out of date.

Technology is constantly changing and new vulnerabilities are being discovered in systems and software previously thought to be secure. Securing patient information is therefore not about implementing security solutions and forgetting about them. To truly secure patient information you must regularly review your security controls, update policies and procedures, maintain software and security solutions, and upgrade when new, better solutions are developed.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

There is no single security solution that can be used to secure patient information. To keep patient information secure you need to implement layered defenses – A range of protective mechanisms that slow down any potential attack and make data access much more difficult. This is often referred to as defense in depth.

Typical security measures that can be implemented as part of a layered security strategy include:

  • A firewall to prevent unauthorized individuals from accessing your network and data
  • A spam filter to block malicious emails and malware
  • An antivirus solution to block and detect malware on your system
  • A web filter to prevent employees from accessing malicious websites
  • Access and privacy controls to prevent improper access from within the organization
  • Data encryption on all portable devices
  • Encryption to protect data in transit – encrypted email for instance
  • A secure (HIPAA-compliant) messaging platform that encrypts all communications
  • An intrusion detection system that monitors for file changes and irregular network activity
  • Auditing solutions that monitor for improper accessing of patient information
  • Disaster recovery controls to ensure continued access to data in the event of an emergency
  • Extensive backups to ensure patient information is never lost
  • Security solutions allowing the remote deletion of data stored on mobile devices in the event of loss or theft
  • Security awareness and anti-phishing training for staff
  • Physical controls to prevent data and equipment theft
  • Vulnerability scanning and penetration testing to identify vulnerabilities before they are discovered by hackers
  • Good patch management policies to ensure software is kept up to date and free from vulnerabilities

HIPAA-covered entities can implement all, or a selection of these security controls, or can outsource these services to managed service provider (MSP).

Patients Might Ask How Their PHI is Secured

If a patient asked you how do you secure patient information, would you be able to provide them with an answer? For many physicians, the answer would be no. Physicians are concerned with providing care to patients, not with the nitty gritty of implementing security solutions and safeguards to ensure the confidentiality, integrity and availability of PHI. That task is often left to their IT departments and the individual in charge of HIPAA compliance. Many healthcare professionals would be in a similar boat.

However, given the volume of healthcare data breaches that are now occurring, and the risk of harm and loss as a result of the theft of PHI, many patients are concerned about data security and may ask the question.

Patients want to be reassured that any information provided to, created by, and maintained by their healthcare providers is secure and remains confidential. It can be helpful to know what measures have been used to secure their information, so you can provide information in general terms.

In most cases a simple explanation is all that is required. Patients just want reassurance that their health information is secure and will remain confidential.

In general terms, you could explain that you secure patient information by:

  • Encrypting PHI at rest and in transit (if that is the case)
  • Only storing PHI on internal systems protected by firewalls
  • Storing charts in secure locations they can only be accessed by authorized individuals
  • Using access controls to prevent unauthorized individuals from accessing PHI
  • Only sharing PHI with individuals or organizations to facilitate the provision, coordination, or management of health care and related services such as payment and billing
  • Only sharing PHI with a limited set of third parties after a contract has been entered into to ensure they abide by strict rules covering uses and disclosures of PHI and data security
  • Re-train all staff (annually) to maintain high privacy and data security standards
  • You use the latest software versions and ensure all software and operating system are kept up to date and use anti-virus solutions to block malware

If patients require more information or want details, you could explain that for security reasons you cannot provide detailed information about security controls you have in place. Just as you would not tell anyone where your safe is located and how many turns of the dial are required to open it.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.