Understanding what constitutes protected information, how it can be compromised, and what your organization can do to maintain both compliance and patient trust.
Healthcare organizations handle multiple categories of sensitive data. Understanding the distinctions is critical for proper handling, storage, and transmission.
Under HIPAA, PHI is any health information that can identify an individual and is created, received, maintained, or transmitted by a covered entity.
PII is broader than PHI and includes any information that can identify an individual. While HIPAA covers PHI, state laws and other regulations may protect PII more broadly.
Key distinction: All PHI is PII, but not all PII is PHI.
HIPAA provides a Safe Harbor method for de-identifying PHI. If all 18 identifiers are removed, the information is no longer considered PHI.
Remove all 18 identifiers. No expertise required. Provides certainty that data is no longer PHI.
Statistical or scientific expert certifies that the risk of re-identification is very small.
Understanding common violations helps organizations implement effective safeguards and training programs.
Accessing or disclosing more PHI than necessary. Looking up celebrity records out of curiosity, sharing full charts when only a diagnosis is needed.
Sharing PHI with unauthorized individuals or through insecure channels. Discussing patients in public areas, sending PHI via unencrypted email.
Shared passwords, lack of role-based access, terminated employees retaining system access, unlocked workstations in clinical areas.
Sharing PHI with vendors without proper contractual protections. Using cloud storage without BAA, third-party billing without agreements.
No documented risk assessment, assessments not updated after system changes, ignoring identified vulnerabilities.
Workforce lacking awareness of policies and procedures. No phishing awareness, failure to report suspicious activity.
Per violation, per year. Criminal penalties may also apply for intentional wrongful disclosure.
Generative AI tools offer productivity benefits but introduce unprecedented data exposure risks.
Requirement: Signed BAA, disabled model training, audit logging, IT approval.
Risk: Data may be stored, used for model training, or accessed without your knowledge.
Effective security awareness training transforms your workforce from a vulnerability into your first line of defense.
Unique passwords for each system, multi-factor authentication, never sharing credentials, locking workstations when stepping away.
Identifying suspicious emails, verifying sender addresses, never clicking unknown links, reporting suspected phishing.
Clean desk policies, proper disposal of printed materials, securing portable devices, restricting patient conversations to private areas.
Using only approved applications, understanding cloud storage rules, proper use of encryption, reporting accidental disclosures.
Understanding which AI tools are approved, why consumer AI poses risks, how to de-identify content before using AI.
Recognizing potential security incidents, understanding the reporting chain, documenting what happened, knowing reporting is protected.
Velari provides customized security awareness training, policy development, and compliance program management tailored to your organization's size, specialty, and risk profile.