In this series on establishing security classifications for your company’s information, last week’s post looked at one aspect – the widely varying definitions of Protected Information under state PII breach notification statutes. But if your organization is a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA), the definition of Protected Health information (PHI) is also a key puzzle piece for your classification scheme.
HIPAA establishes national standards for the use and disclosure of PHI, and also for the safeguarding of individuals’ electronic PHI, by covered entities and business associates. Merely having information commonly thought of as “protected health information” does not mean that HIPAA applies. And there are some surprises in which organizations are – and are not – covered by HIPAA. So, that’s the first question to answer – is your company a HIPAA covered entity or business associate?