Big data analytics, IoT in healthcare, and the advantages of cloud usage such as scalability, cost savings, and enhanced security have all influenced the increase in cloud adoption for healthcare in recent years. As healthcare organizations move to harness advanced technologies in the cloud, they are accumulating larger and larger sets of rich data to help transform healthcare through improving patient outcomes, broadening access to care, and enhancing medical research. Much of this sensitive data is protected health information (PHI), which must be properly secured and tracked within the cloud.
What is Protected Health Information (PHI)?
According to HIPAA Journal, “Protected health information includes all individually identifiable health information, including demographic data, medical histories, test results, insurance information, and other information used to identify a patient or provide healthcare services or healthcare coverage. ‘Protected’ means the information is protected under the HIPAA Privacy Rule.” Electronic protected health information or ePHI is defined in HIPAA as any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or media.
When organizations store PHI electronically, they need to be mindful of where it is all stored – from creation to destruction – just as they previously did with paper records. Oftentimes, in electronic settings, data sprawl occurs, and organizations lose sight of where all of their PHI resides within their systems. This causes problems and risk. After all, if you don’t know where PHI lives within your organization, how will you know whether it’s being protected?
What Are Best Practices for Tracking PHI in the Cloud?
For healthcare and healthcare-adjacent organizations, it is critical to define safeguards around sensitive data, which can only be accomplished by creating a data inventory and assessing the safeguards currently in place, so you know where additional support is needed. That’s where an ePHI inventory comes in. Creating an ePHI inventory involves collecting and compiling information about where and how ePHI is stored, received, maintained or transmitted within your organization. Doing this on your own can be a time-consuming process and a heavy lift on resources, especially if you are starting from scratch. However, there are numerous benefits that your organization can reap from this inventory, beyond just understanding where PHI lives.
Why Do I Need an ePHI inventory?
Not only is an ePHI inventory effective for understanding where PHI lives, it’s also a part of the evidence-gathering process involved in a Security Risk Assessment (SRA). In accordance with the HIPAA Security Rule, covered entities and Business Associates must conduct an SRA on an annual basis to ensure that adequate measures are in place to protect PHI. Although conducting regular HIPAA SRAs may seem like a hassle, the cost of failing to conduct them and therefore failing to remediate risks is much worse. Penalties can include millions of dollars in fines, civil and criminal litigation, restitution, and damage to institutional and professional reputations. Moreover, it’s not just about risk minimization—there are business upsides to having a current ePHI inventory that include more efficient data analysis, shorter development timelines and potential cost optimization.
Deciding what is and is not PHI for this inventory build requires expertise and a significant investment in time and resources, as does deciding if the measures in place adequately protect that data.
ClearDATA Assess® software within the ClearDATA Healthcare Security and Compliance Platform® can help you create and manage an ePHI inventory so you can find your security gaps before a hacker does.
How ClearDATA Assess Can Help You Keep Track of PHI
To complete a HIPAA Security Risk Assessment (SRA) using ClearDATA Assess, you first fill in the ePHI Inventory with the built-in feature that displays the information required to measure the risk of each asset. This helps you and our risk assessment team document where sensitive information exists within your organization and determine the level of risk associated with it. When an ePHI asset and its details are added into the inventory, each asset is then given a risk score, included as a component in the risk assessment. All assets documented in the inventory will remain saved in the Assess portal so you can access it when you need to, whether for next year’s SRA or for auditing purposes.
To minimize risk as you grow your organization, consider keeping a current ePHI inventory, a process that can be simplified with ClearDATA Assess.
Beyond creating an ePHI inventory and identifying risks and vulnerabilities, Assess software also helps you manage and remediate identified risks—all through one portal. Our team of experienced professionals creates your custom Risk Management Plan, displayed through an interactive and intuitive dashboard where your team can assign tasks and timelines to track progress against remediating identified risks. Your Risk Management Plan portal screens can also be shared with auditors, should the need arise.