Last year one out of every three Americans had their protected health information (PHI) compromised during a healthcare data breach, according to the Hacking of Health Care Records Skyrockets report.
In total, that’s about than 111 million people who were victimized by large and small-scale breaches.
Up 80 percent from 2014, these PHI breaches are on the rise, leaving healthcare organizations and their associates scrambling to keep sensitive patient data secure. That goes double when it comes to data housed electronically.
It’s such a hot-button issue that the FBI released this admonition to healthcare providers in spring 2014, “the healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.”
However, it’s not just healthcare organizations and insurance providers that need to exercise caution. As we’ll see PHI and ePHI touches a number of industries, all of which are subject to hefty fines without a HIPAA (Health Insurance Portability and Accountability Act) compliant data center to back them up.
What is Electronic Protected Health Information (ePHI)?
Let’s first get clear about what data we’re referring to. (Aka: the protected data that falls under the legal jurisdiction that HIPAA auditors are on the lookout for.)
ePHI stands for Electronic Protected Health Information. What characterizes it as ‘protected’ is its ability to identify a specific individual based on a health care service. Once this individually identifiable health information is created electronically, maintained electronically, or transmitted electronically it becomes subject to HIPAA-regulated ePHI laws.
Some Notable Examples of ePHI include:
- Billing info
- Emails or Texts
- Calendar of Appointments
- Test Results
Which Businesses are Covered Under HIPAA?
The short answer is: any entity that is involved in healthcare treatment, payment or operations. However, this broad definition cuts through multiple industries and extends beyond the healthcare sector’s mainstays like doctors, pharmacists, and clinics.
In fact, many non-healthcare organizations like vendors and subcontractors are often unaware that they are also governed by HIPAA regulations. Yet simply not knowing you’re dealing with sensitive ePHI does not make you exempt. Hackers often target these tangential entities since it’s likely their data isn’t as closely protected.
Some common examples of other non-healthcare Business Associates include:
- Software companies
- App developers
- Medical equipment service businesses
- Shredding and/or documentation storage facilities
- Answering services
How do HIPAA Compliant Data Centers Factor In?
HIPAA’s stringent compliance requirements require a multilayered approach to security and availability. The physical, technical and administrative measures that go along with that security are as complex as the laws themselves.
Generally, a HIPAA compliant data center will include safeguards and security infrastructure like encrypted storage and backup, the industry’s most robust firewalls, proper data segmentation, and multi-factor user authentication, among others.
In the end, protecting ePHI should be top priority for both healthcare and non-healthcare organizations. Having a HIPAA compliant data center is the most robust way to protect your organization from the damaging consequences of an ePHI breach. Don’t compromise your company’s credibility with an avoidable security gap.
Worried you may not have the proper HIPAA protections in place? We can help you find a solution to keep your patients, employees and company on the right side of the law.