About INetU

Managing ePHI on the Internet

Posted: 04/11/2012

About Information Security and Managing your ePHI

The internet continues to play a key role in simplifying business practices in all industries. The  health care industry is no exception. Many health care organizations are finding it necessary to place Protected Heath Information (PHI) or electronic Protected Heath Information (ePHI) online.  One extremely important factor that health care organizations need to consider is that PHI is covered under the HIPAA and HITECH acts which need to be handled very carefully.


The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to provide privacy standards for the protection of patients' medical records and other health information supplied to health plans, doctors, hospitals and other healthcare entities.

What is HITECH?

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 extends HIPAA coverage by addressing third-party access to protected health information (PHI), increasing compliance obligations and strengthening enforcement penalties.

Why is it Important to Comply with HIPAA and HITECH?

HIPAA and HITECH compliance is imperative to preserve your ongoing business operations.  Failure to successfully meet the standards may result in not only regulatory actions, such as fines, but also loss of business, damage to reputation and loss of public trust.

How to Protect Your PHI?

Organizations looking to transmit or store PHI on the Internet should take a multi-layered approach to their data protection. Here are some areas to address:
  • Servers - PHI should be hosted on dedicated servers with hardened operating systems

  • Security patches need to be kept up to date. Hard passwords should be used for all login

  • Firewalls - A Dedicated Firewall is required

  • Intrusion Detection Software should be run to log traffic to and from the servers

  • VPN is necessary in most cases, as it helps encrypt data transferred between two locations

  • Software - Software should be installed on the server to track changes to files and logwho made a change to and/or viewed PHI, from where and at what time

  • Storage - Since PHI and records of access to PHI need to be stored for a minimum of 6years; a backup retention strategy should be put in place that meets that requirement.Typically this will involve off-site archiving of backups. Encryption should be used on PHI and related data stored on portable media

If you need help with HIPAA and HITECH compliance make sure to find a trusted web host who has the right knowledge, experience, and security tools to continuously safeguard your PHI.


Filed under: compliance, ePHI, hipaa, HITECH, security
comments powered by Disqus

Subscribe To Our Blog

Search Our Blog

Featured Authors

Andrew Hodes
Chief Technology Officer
Read Bio
David Fowler
Vice President of Marketing

Read Bio
Dev Chanchani
CEO and Founder

Read Bio
Eric Naiburg
Director of Product Management

Read Bio
Jeanine Sicinski
Partner Program Manager

Read Bio
Lindsay Glen
Marketing Communications Specialist

Read Bio
Rich Hand
Technical Solution Engineer

Read Bio
Scott Walters
Director of Security
Read Bio
More Archived Blog Posts...