HIPAA security regulations define Protected Health Information (PHI) as any oral or recorded information created or received by a health care provider, health plan, employer, insurer, school or university, health care clearing house or a business associate that relates to the past, present or future physical or mental health or condition, provision of health care or health care payment of an individual.
There are eighteen “HIPAA Identifiers” that can be used to identify an individual, an individual’s family, employers or household members. Examples include names, telephone numbers, email addresses, medical record numbers, photographic images and home address. To see all eighteen identifiers, visit the HIPAA Identifiers page.
Please note that it is a VIOLATION of HIPAA law to store PHI on any personal device, such as a USB drive, external hard drive, home computer, iPhone or iPad. Such violations can cost ECU a fine of up to $1.5 million dollars, and you could be criminally liable for such a breach, including termination, fine and imprisonment.
Protected Health Information (PHI) must only be stored on university-approved and authorized devices. If you are unsure about your storage device, please contact the IT Security Team at ITSecurity@ecu.edu.
In the News
The State of Alaska announced in June 2012 that it is paying $1.7 million to the Federal Government for a 2009 security breach of patient data. A federal investigation following the breach found inferior security measures in place at Alaska’s Department of Health and Social Services. In October 2009, a portable hard drive was stolen from the car of an employee who worked for the State Health Department.