Page 1 of 1

How are you protecting your clients private information?

Posted: Fri Mar 01, 2019 7:32 am
by pageltd
Cleaning up a data breach can be very expensive, stressful and disruptive to your business. It can bring legal and financial troubles your way very quickly. There are some statistics that suggest that a large percentage of businesses will go out of business after a data breach.

Buying data breach / cyber attack insurance is absolutely critical. BUT, it's not the first step or line of defense. The companies that write cyber liability will require specific measures be in place before they will even consider offering you protection.


How are you protecting your clients information?
How do you handle PII (Personally Identifiable Information) and/or PHI (Personal Health Information)?
Do your practices comply with state/federal law regarding PII and PHI and/or HIPAA?
Have you ever conducted a self audit to determine the level of security OR vulnerability?
Do you have a staff member of outsourced company that is entrusted with your IT security?
Has your staff been trained in the correct practices?
Do you have a procedure to deal with a data breach?
Do you think the Russians could hack into your database? ;)

Worth considering for a moment. It's not very complicated, but it takes time and a bit of dedication and I want to hear from insurance agents. This could be a very interesting discussion!

Re: How are you protecting your clients private information?

Posted: Fri Mar 08, 2019 9:04 am
by pageltd
No responses? C'mon people!

Re: How are you protecting your clients private information?

Posted: Thu Mar 28, 2019 6:10 am
by pageltd
Similar to another topic that I started...

Re: How are you protecting your clients private information?

Posted: Thu Jul 18, 2019 12:44 pm
by etimer
Was your question relating to health insurance?

Maybe the reason is that many on this forum are P&C people. HIPPA and PHI was always from the beginning about private health information. That didn't stop everyone from deeming everything under the sun as PHI. For a while I was seeing encrypted docs of renewing auto and HO policy's.

Protected Health Information Includes
Protected health information includes all individually identifiable health information, including demographic data, medical histories, test results, insurance information, and other information used to identify a patient or provide healthcare services or healthcare coverage. ‘Protected’ means the information is protected under the HIPAA Privacy Rule.

"The HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections." ... index.html

Protected health information is defined in the Code of Federal Regulations and applies to health records, but not education records which are covered by other federal regulations, and neither records held by a HIPAA-covered entity related to its role as an employer. In the case of an employee-patient, protected health information does not include information held on the employee by a covered entity in its role as an employer, only in its role as a healthcare provider.

PHI does not include individually identifiable health information of persons who have been deceased for more than 50 years.

What is Individually Identifiable Health Information?
When individually identifiable information is used by a HIPAA covered entity or business associate in relation to healthcare services or payment it is classed as protected health information.

There are 18 identifiers that can be used to identify, contact, or locate a person. If health information is used with any of these identifiers it is considered identifiable. If PHI has all of these identifiers removed, it is no longer considered to be protected health information. (see de-identification of protected health information)

Names (Full or last name and initial)
All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
Dates (other than year) directly related to an individual
Phone Numbers
Fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health insurance beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers (including serial numbers and license plate numbers)
Device identifiers and serial numbers;
Web Uniform Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers, including finger, retinal and voice prints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
PHI Health Apps
There is some confusion around PHI and health apps as they often collect information that is classed as PHI when it is recorded or used by a healthcare provider. Health apps record information such as heart rate data and the data include personal identifiers. However, the data collected by these apps and trackers is not always covered by HIPAA Rules. App developers can be business associates, but in the most part they are not.

If a HIPAA covered entity develops a health app for use by patients or plan members and it collects, uses, stores, or transmits protected health information, the information must be protected in line with HIPAA Rules.

If a physician recommends a PHI health app be used by a patient, such as for tracking BMI or heart rate data, the information is not subject to HIPAA Rules as the app was not created for the physician.

A third-party health app developer would be classed as a business associate, and required to comply with HIPAA, if the app has been created for a HIPAA-covered entity and it collects, uses, stores, or transmits identifiable health information or if the developer is contracted with a HIPAA-covered entity to provide health monitoring services via the app.

PHI health app guidance was issued by OCR in 2016 and can be viewed on this link (PDF).

Re: How are you protecting your clients private information?

Posted: Thu Feb 27, 2020 9:35 am
by pageltd
check this out:

So...are dates of birth really PII? If you can just buy a list from the state, then maybe not...