Securing Healthcare Data
Cyber-attacks on healthcare entities can cause downtime and data breaches – and they’re becoming more common each year. At Ohio University, there are controls in place to protect the healthcare data that our HIPAA and HIPAA-like units store, process, and transmit.
Ohio University is classified as a HIPAA hybrid-entity, meaning it has units that process health information protected by HIPAA, and units that do not. At Ohio University, units can be divided into three categories: HIPAA Covered entities, HIPAA-like entities, and Non-HIPAA entities. HIPAA Covered entities are those units that store, process, and transmit Protected Health Information (PHI). HIPAA-like entities are those units that process confidential health information but are not subject to HIPAA regulations based on their operations. Non-HIPAA entities are those units that do not interact with PHI or confidential health information. Both HIPAA and HIPAA-like entities are required to protect the data they interact with to the standards set forth by Ohio University’s HIPAA Policy and corresponding standards. The units that are designated as HIPAA and HIPAA-like under Ohio University’s hybrid-entity status can be found at HIPAA at Ohio University, in addition to the HIPAA standards, procedures, and training resources.
PHI is highly valuable to cyber attackers, as it often offers more comprehensive information about a person than other types of protected data. Consider what your healthcare providers may know about you:
- Your name and contact information
- Your health history and treatment plans
- Your family members' identities, relationships to you, and their health histories
- Your billing information (HIPAA protected)
To ensure the security of PHI and confidential health information at Ohio University, the Information Security Office maintains a list of resources for secure computing that is continually updated. It includes guidance for multi-factor authentication, encryption, and how to identify malicious emails, among other helpful tips. Services that store sensitive data undergo regular security review, and training is available for users to learn security best practices. This training is available for everyone, not just those who interact with sensitive information.
For additional information on what is classified as PHI or confidential health information, the Information Security Office has a searchable table that can be used to identify what OIT-supported solutions can store PHI or confidential health information, along with guidance for other types of sensitive data such as FERPA, Human Subject Research, and Social Security Numbers just to name a few. If you would like to know more about securing the PHI or confidential health information you are working with and have questions, please feel free to request a consultation with our office.