Health care PHI and security: The ongoing struggle to protect patient personal information

February 2, 2022 / By Karla VonEschen, CPC, CPMA

It’s difficult these days to do anything in health care without hearing about securing protected health information (PHI) or reading about a security breach. During a recent office visit, I was reminded of this when the nurse left the exam room and did not lock the computer, leaving the day’s patient list in full view. At the time, I thought, “How difficult is it to remember to lock a desktop screen?”

The importance of securing patient PHI cannot be overstated, and health care workers have to be vigilant working with the multitude of electronic applications that contain patient information. Consider the following 2021 statistics from the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal:

  • 620 total breaches reported, and 45,011,945 total individuals impacted due to:
    • Hacking (75.00%)
    • Unauthorized disclosure (19.35%)
    • Improper disposal (0.51%)
    • Lost items (1.45%)
    • Theft (3.23%)
  • Of those breaches reported, the following violation locations are indicated:
    • Network Server (53.39%)
    • Email (28.06%)
    • Desktop, laptop or another device (4.35%)
    • Electronic medical record system (4.68%)
    • Paper films (5.48%)
    • Other (2.58%)

A security breach can have catastrophic financial impacts for the patient and hospital while adding risk to patient care. Security breaches increased in 2021 due to operational changes health care organizations made to accommodate the COVID-19 pandemic. As a result, breaches cost health care $9.23 million per incident, a $2 million increase from 2020. 

There are simple solutions to help protect patient PHI and health care organizations. The Health Insurance Portability and Accountability Act (HIPAA) requires organizations to implement administrative, technical and physical safeguards. These safeguards include locking computers, securing worksites, proper document shredding and encrypting data. Unfortunately, these regulations are classified as required or addressable by HIPAA, which confuses health care providers and creates an environment where organizations may choose to implement the bare minimum. Encrypting email is an example of a requirement that is “addressable.” Simply addressing PHI security measures and not going beyond what is suggested but not required leaves the patient and organization at risk. 

Securing PHI does not have to be complicated. However, remaining aware of the everyday importance of protecting patient PHI and your health care organization and not becoming idle is significant. Creating habits to keep desk space clean, locking desktop computers, only printing what is necessary and shredding documents appropriately, using privacy screens on computers and refraining from opening suspicious emails can go a long way. 

Karla VonEschen is a coding analyst at 3M Health Information Systems.


Turn your data into clinically relevant and impactful information you can apply for financial and clinical improvement.