What non-HIPAA covered entities must know about protecting PHI

Even companies that are not HIPAA-covered entities need to know how to protect the employee health data they possess, according to attorney Susan A. Miller.

This became apparent with the recent breaches at Sony Pictures Entertainment and the U.S. Postal Service, Miller said in an interview with HealthcareInfoSecurity.com. Healthcare is not the core business of either, but health information on employees and their families was compromised, nevertheless.

Sony is not a HIPAA-covered entity unless it is self-insured, Miller said, and would not necessarily raise the ire of the Office for Civil Rights (OCR). But companies with employee protected health information (PHI) still could face lawsuits and costly fines from state or federal agencies.

She urges companies that have protected health information (PHI) to store that information separately from employment and payroll data. Companies that have a nurse on site, who do drug testing or do physicals will have PHI.

She also urges companies to have breach-protection insurance to cover costs of a breach, to use encryption and have a full breach response plan.

The Sony hack included health information on dozens of employees, their children or spouses. A 2014 hack of U.S. Postal Service servers compromised health information for roughly 485,000 current and former employees who filed for worker's compensation.

Michael Bruemmer, vice president with the Experian Data Breach Resolution group, told HealthcareInfoSecurity.com in a previous interview that organizations don't always know all the places in which PHI resides, making it even more difficult to secure. 

Security experts expect to see more cyber attacks during 2015, with healthcare considered especially vulnerable. Phishing emails, which try to lure recipients into giving out information such as usernames and passwords that will give attackers entry into systems, are expected to be a particular threat, along with ransomware, which allows cybercriminals to hold data hostage while they demand payment to unlock it.

To learn more:
- find the interview