By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies
Continuously improve upon the security program while continuing to grow the business.
Compyl works with the technology your organization works with.
Begin building a scalable security program.
Build and maintain a robust risk management process.
Manage vendor due diligence and risk assessments.
Mature your security program quickly.
Create and centralize policies, standards, and procedures.
Securely store and monitor all contracts.
Streamline security with automated efficiencies.
Establish and monitor permissions for all users.
Catalog, access, and track all IT Assets.
Demonstrate the ability to effectively safeguard customer data's security, integrity, confidentiality, and privacy.
Prove the strength of your Information Security Management System to prospects and customers worldwide.
Organizations handling health information need to have measures in place & follow them.
Improve the security posture of information systems used within the federal government.
Guidelines to encourage best practices among financial institutions in Singapore.
This global security and privacy framework provides comprehensive information, risk, and regulatory protection.
We proactively monitor for the latest frameworks to ensure our customers environments remain secure at all times. Contact us and learn about the additional frameworks Compyl supports.
Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
Our mission and purpose are unique, just like the solution we created.
We are very serious about our security. See the measures we take.
Join our diverse team of intelligent, respectful, and passionate individuals.
We are ready to secure your organization today!
Keeping data secure is an involved process for any business nowadays. Electronic devices and internet servers are the main storage methods, and physical measures are insufficient. This applies to medical records and health information too. Protected health information is dealt with under HIPAA law, and businesses should do everything possible to prevent a PHI breach.
According to HIPAA, a PHI breach is the “acquisition, access, use, or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information.” This might look like anything from a system being hacked and information leaked to an authorized employee emailing private medical records to an unauthorized party for any reason.
PHI is protected strictly by HIPAA law and must be handled with care by businesses authorized to handle it, including health care providers, insurance companies, clearinghouses, and government health care entities.
PHI includes several pieces of information, including:
This information is all protected as PHI under HIPAA.
Certain factors may warrant a situation not being considered a HIPAA breach in the first place. For example, if an employee handles PHI insecurely by accident and with good faith that they’re doing the right thing, the result may not be an official PHI breach.
Another exception is when the recipient of private information cannot retain it. For example, if a letter is sent to the wrong person but is ultimately returned to the sender untouched, the offending business or party might be in the clear. Finally, if one authorized staff member in a hospital or business accidentally sends irrelevant PHI to another authorized staff member, a breach is not considered to have occurred as long as the recipient handles it properly (for example, by deleting it and not sending it to anyone else).
A big part of avoiding the consequences of a breach of PHI is simply preventing one in the first place. Here are a few important safety measures you should take to make sure information is secure and handled correctly.
If you are a healthcare provider or another business that works with any PHI, you must train your team to handle information safely. If anyone does not take the situation seriously, it can result in leaked information. This applies to both medical and administrative staff.
Having an official information security policy will keep things organized and lower your business’s liability if something happens. The policy needs to be periodically updated and communicated to your team regularly as it is updated. HIPAA laws and other best practices should inform your approach.
For securing physical information, filing cabinets should be locked securely, and keys should be well organized so that only the right people can access them. While it may not seem like a big help, having a clearly defined system for access keys to rooms, cabinets, and other information areas will help you keep track of things, especially when there’s staff turnover or a missing key.
Encryption is key for digital data (which is increasingly the default form of stored information). Make sure that all your servers, hard drives, and other digital platforms are as well-encrypted as possible, which will keep out people who don’t have the right passwords and permissions. Your IT team can help youstreamline your digital securityand provide the right training to staff.
Another simple but essential measure to take is securing the internet and Wi-Fi. By doing so, you can stop potential cybersecurity threats and reduce the chance of a PHI breach.
In the unfortunate event that a PHI breach does occur, you must take the right steps as outlined by HIPAA law. Here is what needs to happen:
To figure out if a breach must be reported, you must first determine whether the PHI was “unsecured,” because only unsecured data violations must be reported. Unsecured data is any digital PHI that is not encrypted and any physical PHI that has not been destroyed. Next, you must determine whether the breach meets any of the exceptions listed above with regard to reporting. If it is not a legitimate exception, it must be reported.
When you need to report a breach, you must tell the individual(s) whose information was compromised and the U.S. Department of Health and Human Services. The employees involved must tell their organization within 60 days, and the organization must report the breach to both the individual in question and the HHS within 60 days from discovery. If the breach involves the PHI of 500 or more people, the organization must also report the violation to local media within 60 days of discovery. The organization must also maintain documentation of all of this for six years.
Taking these steps right after a breach will help protect your business from severe consequences and demonstrate to your clients, patients, and staff that the situation and PHI are being taken seriously.
Businesses that deal with PHI need to prepare well to avoid a breach. Start by crafting and implementing specific policies for your business and team that will equip them to handle information safely and securely.Contact Compyl todayto learn about our superior solutions for privacy and security.