HIPAA sets the standard for protecting sensitive patient data. The law states that Covered Entities and their Business Associates need to protect the privacy and security of protected health information (PHI).
PHI is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a health care service, such as a diagnosis or treatment.
Examples of PHI:
• Billing information from your doctor
• Email to your doctor’s office about a medication or prescription you need
• Appointment scheduling note with your doctor’s office
• An MRI scan
• Blood test results
• Phone records
HIPAA-covered entities and business associates should have a written breach response policy and protocol. The policy and protocol should provide clear guidance to the covered entity’s or business associate’s staff regarding how to respond to an actual or suspected breach.
What strategies should a health care provider or insurer pursue to manage the risk?