What Is PHI?
Protected health information (PHI) 1 is any data, in any form, whether electronic, paper, or oral that relates to the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual. PHI is most closely associated with the U.S. Health Insurance Portability and Accountability Act (HIPAA), and is the cornerstone of what constitutes patient data and how it should be used, shared, managed, stored, and protected.
This applies to information that identifies the individual or could be used to identify the individual that is created, stored, or transmitted by a Covered Entity (or business associate of a covered entity). HIPAA identifies 18 different identifiers that must be removed, secured, and/or encrypted. These include name, address, social security numbers, medical and health insurance-related numbers, biometric and photographic data, and medical device data and serial numbers.
A Covered Entity includes healthcare professionals, hospitals, insurers, and their business associates (such as a credit card processing company or medical device manufacturer, as well as a cloud service provider or cloud datacenter where sensitive data is stored), and requires that they all hold the same standards of privacy and confidentiality.
Why It Is Important
PHI is extraordinarily sensitive information that could subject an individual to significant harm if disclosed or shared. Patient rights with respect to PHI entail:
- The right to request restrictions for the use of PHI
- The right to examine and copy their PHI
- The right to request amendments or corrections to their PHI
- The right to file a complaint with the covered entity and with the Secretary of Health and Human Services if they believe their privacy has been compromised
PHI Training Requirements
A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
This training applies to HIPAA-specific education about the regulation itself and guidelines for how covered entities must comply with them, but the majority of the education and awareness that it requires is focused on cybersecurity. Some of the required training topics include, but are not limited to, phishing and email best practices, password best practices, social engineering, data protection (protecting the physical workspace and document management and destruction), and the use and disclosure of PHI.
Per HIPAA regulation, the timing and documentation of training is clearly outlined that a covered entity must provide training that meets the following requirements:
- To each member of the covered entity's workforce by no later than the compliance date for the covered entity
- Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce
- To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required, within a reasonable period of time after the material change becomes effective
- A covered entity must document that the training has been provided
Common Challenges With Compliance-based Training
When the aim is to complete training to satisfy compliance requirements, security awareness training becomes the goal - when in reality, better user recognition and user response to threats is what is needed.
Many organizations struggle to solve for the greatest challenge in cybersecurity - that we throw the best technology (the average enterprise has 75 different security products) at the problem, even though human error accounts for 90% of breaches. This is due to the fact that most trainings are boring, look only to check-the-box that compliance training has taken place, but do little to measure whether it actually made a difference in employee behavior.
What Does Good Look Like
Living Security is built on an entirely different premise - that people are you greatest asset. Our solution measures strengths and weaknesses for employees, identifies potential gaps, then delivers timely, engaging individual and team-based training that creates proven, lasting change.
If your organization has ever struggled with challenges like, "everyone has completed phishing training, but hundreds of employees still click on our phishing simulations over and over", you need a better solution.
The Escape Room
The Escape Room is one example of a team training that explores phishing, PHI, and other security concepts through team puzzle solving. Paired with an engaging storyline based on real life scenarios, the experience delivers a more impactful learning experience.
goal of security awareness
The goal of security awareness compliance shouldn’t just be to check the box that employees have completed training, it should be to prevent breaches and minimize risk and exposure due to human error.
What Makes Living Security Better
The sensitivity of PHI makes it especially critical to safeguard. It is the underlying foundation of HIPAA compliance, and in many ways requires the heightened application of personally identifiable information (PII) best practices. The most critical aspect of PHI is the restriction of its collection and sharing. In order to protect your patients’ PHI, you need to train your employees.
Living Security is chosen by more leading global organizations to provide the security awareness training they need to not only check the box for compliance, but to improve the cybersecurity posture of their organization. Training that is engaging, impactful, and delivers a 16x increase in retention helps you create proven, lasting change - and turns employees into your strongest cybersecurity asset.
Living Security makes it easy to meet compliance with training modules, that include, but are not limited to:
- PHI-specific content
- Passwords (maintaining strong passwords, use of a password manager)
- Phishing (and other forms, vishing, smishing)
- Physical security (device security, document access and disposal)
- How to report an incident
- Removable devices/USBs
- Mobile devices
- Social media usage and risks of oversharing
- … many, many more.
Our modules range from quick-hit 1-3 minute training per topic to full CyberEscape room series that cover multiple topics all-in-one. Your compliance checklist can easily support several complex topics in under 15 minutes.
Meet Your Compliance Requirements
Learn more about how Living Security can help you meet your compliance requirements, and actually help your employees make better cybersecurity decisions.