Understanding what constitutes protected information, how it can be compromised, and what your organization can do to maintain both compliance and patient trust.
Healthcare organizations handle multiple categories of sensitive data. Understanding the distinctions is critical for proper handling, storage, and transmission.
Under HIPAA, PHI is any health information that can identify an individual and is created, received, maintained, or transmitted by a covered entity.
PII is broader than PHI and includes any information that can identify an individual. While HIPAA covers PHI, state laws and other regulations may protect PII more broadly.
Key distinction: All PHI is PII, but not all PII is PHI. A patient's email address in a medical record is PHI. The same email in a newsletter list is PII but not PHI.
HIPAA provides a Safe Harbor method for de-identifying PHI. If all 18 identifiers are removed, the information is no longer considered PHI and can be used for research, quality improvement, and other secondary purposes without patient authorization.
Remove all 18 identifiers. No expertise required. Provides certainty that data is no longer PHI.
Statistical or scientific expert certifies that the risk of re-identification is very small.
Understanding common violations helps organizations implement effective safeguards and training programs to prevent incidents before they occur.
Accessing or disclosing more PHI than necessary for a given purpose. Examples: looking up celebrity records out of curiosity, sharing full charts when only a diagnosis is needed, including unnecessary PHI in communications.
Sharing PHI with unauthorized individuals or through insecure channels. Examples: discussing patients in public areas, sending PHI via unencrypted email, posting case details on social media, leaving records visible.
Failing to implement appropriate technical and administrative controls. Examples: shared passwords, lack of role-based access, terminated employees retaining system access, unlocked workstations in clinical areas.
Sharing PHI with vendors or partners without proper contractual protections. Examples: using cloud storage without BAA, third-party billing without agreements, IT support accessing systems without safeguards.
Failing to conduct regular, thorough assessments of security risks. Examples: no documented risk assessment, assessments not updated after system changes, ignoring identified vulnerabilities, lack of remediation tracking.
Workforce lacking awareness of policies and procedures. Examples: staff unaware of password requirements, no phishing awareness, failure to report suspicious activity, not understanding what constitutes PHI.
Per violation, per year. Criminal penalties may also apply for intentional wrongful disclosure.
Generative AI tools offer productivity benefits but introduce unprecedented data exposure risks. Organizations need clear policies that distinguish acceptable use from prohibited activities.
Requirement: Signed Business Associate Agreement, disabled model training on your data, audit logging enabled, and IT/security approval.
Risk: Data may be stored, used for model training, or accessed by the AI provider without your knowledge or control.
When in doubt, apply this simple test: If you removed all patient identifiers from the content, would a reasonable person still be able to identify the individual? If yes, it's PHI and should not go into any AI tool without explicit approval.
"65-year-old male patient John Smith from St. Louis with Type 2 diabetes presenting with..."
"General clinical guideline: Management of Type 2 diabetes in patients over 60 with cardiovascular comorbidities..."
Effective security awareness training transforms your workforce from a vulnerability into your first line of defense. These are the essential topics every healthcare employee should understand.
Unique passwords for each system, multi-factor authentication on all accounts, never sharing credentials, locking workstations when stepping away, and reporting suspicious access immediately.
Identifying suspicious emails, verifying sender addresses, never clicking unknown links or attachments, recognizing urgency tactics, and reporting suspected phishing attempts to IT.
Clean desk policies, proper disposal of printed materials, securing portable devices, restricting conversations about patients to private areas, and reporting lost or stolen equipment immediately.
Using only approved applications and storage, understanding what can and cannot be stored in cloud services, proper use of encryption for transmission, and reporting accidental disclosures promptly.
Understanding which AI tools are approved, why consumer AI poses risks to PHI, how to de-identify content before using AI, and what to do if PHI is accidentally entered into an unauthorized tool.
Recognizing potential security incidents, understanding the reporting chain, documenting what happened, and knowing that prompt reporting is encouraged and protected — never punished.
The Rule: When in doubt, store it in the EHR or approved organizational system. If it's not on the approved list, don't use it.
Velari provides customized security awareness training, policy development, and compliance program management tailored to your organization's size, specialty, and risk profile.