Your team knows how to handle PHI but do you know how to secure it?

December 18, 2019


HIPAA has been around for 20 years and organizations subject to HIPAA, for the most part, have developed practices and rules to ensure that Personal Health Information (PHI) is only shared with appropriate people/organizations.   This handling of the HIPAA data is detailed in the “Privacy Rule” -

The Privacy Rule protects individuals PHI.  These rights include

  • Rights for individuals to examine and obtain a copy of their health records in the form and manner they request

  • Right to ask for corrections to their information.

As important as the Privacy Rule is in ensuring PHI is shared only shared with the appropriate parties, the Security Rule ensures that the appropriate (given size and organization complexity) information security technology and process are in place to ensure PHI is not compromised.  In other words, the Security Rule, provides for safeguards that ensure the security of the data, namely the integrity, availability and confidentiality, is maintained


Security of PHI as well as PII (Personal Identifiable Information) is commonly left to the IT organization (internal or external).  However the security of the data is as important as the Privacy and like the privacy rule, failure to comply with  regulations can leads to fines and other penalties.  Protecting confidential data is a business requirement of healthcare organizations and must be given the attention and resources it deserves.


Organizations, of all sizes, have been fined for failure to maintain the security rule.  For example, large organizations are fined for lacking robust technical security technology and processes.  Anthem, inc.  was fined in October $16 m for “Risk Analysis failures; Insufficient reviews of system activity; Failure related to response to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access”.  In addition, small organizations are also beginning to incur significant fines for failure to have basic practices in place. The Pagosa Springs Medical Center was fined in December of 2018  $111,400 for failure to terminate an employees remote access.  It is important to note this is a process failure and not a technology failure.



It's time for all healthcare organizations that are subject to HIPAA, regardless of size to actively begin managing their data security.  Size or lack of understanding of the requirements to protect patient data is not an excuse and will not absolve any organization from penalties not to mention the impact on their patients/customers trust.


Deeper Solutions LLC  focuses on helping organizations subject to HIPAA to build security strategies and document controls (compliance) .  Deeper Solutions provides strategies appropriate to organizations size and complexity.   Deeper Solutions can be reached at 703 861 6836 or


Share on Twitter
Please reload

Recent Posts
Please reload

Please reload

Search By Tags
Please reload

1775 Tysons Blvd. 5th Floor, McLean, VA 22102

703.861.6836  |

© Deeper Solutions, LLC. All Rights Reserved.