PII and PHI Best Practices: How Healthcare Organizations Should Handle Sensitive Information


Healthcare organizations handle data that contains sensitive information every single day. Much of this data includes personally identifiable information (PII) and qualifies as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

Data containing PII and PHI can be difficult to manage due to its sheer volume and complexity, but its vulnerability to breaches is even more concerning. A study by the Ponemon Institute found that 89% of the 641 healthcare information technology and security entities it surveyed experienced at least one cyberattack in the past year, with an average of 43 attacks. The study also found that more than 20% of those organizations saw increased patient mortality rates as a result of cyberattacks, mostly due to procedure and test delays.

In addition to worsened patient outcomes, cybersecurity incidents can lead to massive financial losses. A cybersecurity incident in 2020 cost one healthcare organization $67 million, and the average healthcare breach cost $9.2 million.

In this post, we’ll review what PII and PHI are, explain the most frequent causes of PII and PHI breaches, and offer seven best practices you can use to efficiently and securely manage PII and PHI. Finally, we’ll point out how modern technology can help your healthcare organization understand and manage sensitive information.


What is PII and PHI?
The most frequent causes of PII and PHI breaches
7 best practices for efficiently and securely managing PII and PHI
Modern technology can help your healthcare organization better manage its PII and PHI

What is PII and PHI?

Personally identifiable information (PII) is any information that could lead to the identification of an individual.

What does PHI stand for?

By contrast, protected health information (PHI) stands for protected health information and is individually identifying information that also includes health information and that is created, used, or stored by an entity that is subject to the Health Insurance Portability and Accountability Act (HIPAA). Put differently:

PII + health information + a HIPAA-governed entity = PHI

Let’s break these definitions down further. What exactly qualifies as “health information”? Generally, health information is information regarding the provision of or payment for physical or mental healthcare services.

HIPAA outlines 18 individual identifiers that, when combined with health information, turn that information into PHI. These identifiers include:

  • names;
  • street addresses;
  • phone numbers;
  • dates or parts of dates other than years;
  • telephone numbers;
  • Social Security numbers;
  • account numbers;
  • license plate numbers and other vehicle identifiers; and
  • photos of a person.

HIPAA-protected PHI can come in any form. It may be electronic, written or typed, or oral, and it may include words, images, charts, or descriptions containing characteristics of an individual or their family members.

Now that we’ve covered what PII, health information, and PHI are, let’s talk about the most common occurrences that lead to PII and PHI breaches.

The most frequent causes of PII & PHI breaches

PII and PHI breaches can occur intentionally or by mistake. Here are some of the most frequent causes of PII and PHI breaches:

  • security issues;
  • cyberattacks or hacking, including:
    • phishing (which usually takes the form of deceptive emails containing malicious links);
    • ransomware attacks (where hackers use malware to hide or encrypt data until its owner pays a ransom for its release);
    • cloud-based attacks (cyberattacks directed at offsite data storage platforms); and
    • distributed-denial-of-service (DDoS) attacks (where cyber attackers overload servers with connection requests to force them to go offline);
  • user-related issues;
  • data loss or destruction; and
  • inaccurate transmission of information from paper to computer records.

PII and PHI are especially vulnerable to theft and cyberattacks because they can be sold for large profits on the black market or dark web. Unauthorized users then use this information to commit fraud, extort others, steal identities, launder data, and promote political agendas (otherwise known as “hacktivism”).

How can your healthcare organization protect its PII and PHI from inadvertent disclosure? We’ve assembled seven best practices to guide you.

7 best practices for efficiently and securely managing PII and PHI

By taking these seven steps, your healthcare organization can handle sensitive data more efficiently and protect PII and PHI from inadvertent disclosure.

  • Familiarize yourself with your organization’s data.

The first step to optimizing your PII and PHI management is to take an inventory of the data you have. You want to learn:

  • how, when, and why PII and PHI are gathered;
  • how and where that data is stored; and
  • when and how PII and PHI are disposed of.

After all, knowledge is power—and getting to know your data is key to learning how to securely manage it.

  • Cull unnecessary data.

After you have taken stock of the volume and types of data you have, you can begin to cull your data for duplicate, unnecessary, and outdated documents. That way, your organization can retain only the data you need and minimize the risk of inadvertently disclosing extraneous sensitive information. Of course, any data culling you do should comply with your organization’s records retention and deletion policies as well as HIPAA.

  • Identify your vulnerabilities.

To reduce the risk of a data breach, you must identify security risks and areas where your organization may be vulnerable. To comprehensively protect your PII and PHI, you will also need to assess the security risks associated with any third-party vendors you work with. Once you understand your vulnerabilities, you can take steps to address the security risks you have identified.

  • Limit access and use multi-factor authentication (MFA).

Your organization can limit the risk of user-related issues, data loss or destruction, and theft by simply limiting access to data. One way to limit access is by implementing a least-privilege model that limits employees’ access rights to only the data they need to perform their job duties.

Another method is to use multi-factor authentication (MFA), which requires users to provide two or more methods to verify their identity before they can gain access to sensitive information. Because MFA is more secure than traditional authentication methods, it can prevent unauthorized access to your organization’s PII and PHI by unauthorized individuals within and outside your organization.

  • Increase your awareness of cyber threats.

To mount an effective defense against cyberattacks, your organization will need to make its staff aware of the threats facing the healthcare industry. For example, your staff must learn how to identify, resist, and report cyber threats such as phishing attempts. Proper training can prevent a data breach and allow you to respond quickly if a breach occurs.

You can educate staff members through in-person training, webinars, or online resources. Whatever method you choose, make cybersecurity training mandatory for everyone in your organization, even if they have limited interactions with technology.

  • Make a security and data breach response plan.

Your healthcare organization should have a plan for preventing and responding to data breaches. This plan should outline the software and other technology your organization will use to defend itself against breaches.

Your security and data breach response plan should also include the immediate steps your organization will take in the event of a breach. Putting a plan in place before a breach occurs is essential because breaches can happen at inconvenient times and a swift response is necessary to mitigate any long-term damage.

  • Invest in technology.

Technological solutions can help your organization better understand its data and safeguard the PII and PHI you’ve been entrusted with.

Experts say that healthcare organizations should be investing more of their resources to shore up their security and defend against cyberattacks. Whereas organizations in other sectors spend 10 to 15% of their information technology (IT) budget on cybersecurity, the average healthcare organization only invests 6% or less of its IT budget on data protection.

Let’s turn to some of the ways that modern technology can help healthcare organizations properly secure the PII and PHI in their custody.

Modern technology can help your healthcare organization better manage its PII and PHI

The range and frequency of data breaches can be intimidating. But luckily, the right tools can help your healthcare organization understand the PII and PHI it holds so you can adequately safeguard it.

IPRO offers a suite of tools specifically designed for healthcare organizations. These tools can help your organization accomplish many of the best practices we’ve suggested so far, including:

  • identifying vulnerabilities so you can take remedial measures to prevent data breaches;
  • archiving information to ensure compliance with HIPAA and other document retention laws and regulations;
  • protecting sensitive information from unintended access and retrieval;
  • culling duplicate, unnecessary, and outdated data; and
  • connecting to data in real time and searching, reviewing, and analyzing that data in place with artificial intelligence (AI) technology.

For example, Live EDA is the go-to solution for gaining valuable insights into your organization’s data. Live EDA allows you to tackle large volumes of data quickly and efficiently, automatically locate PII, PHI, and other sensitive information contained within your organization’s data stores and send sensitive information to the right reviewers without risking inadvertent disclosure.

Ready to learn more? Contact IPRO to speak to an expert today.