24/7 Breach Assistance


What is Protected Health Information?

In the U.S., the HIPAA Privacy Rule protects a subset of individually identifiable health information known as Protected Health Information (PHI), that is created or maintained by a covered entity or business associates acting on their behalf. The Privacy Rule protects PHI in all forms, electronic, oral, or paper. Examples of PHI include names, Medical Record Numbers (MRN), dates directly relating to the individual, health insurance information, and biometric indicators. The rules and regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protect both the privacy and security of sensitive patient health information and also define covered entities as health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with a transaction for which the U.S. Department of Health and Human Services (HHS) has adopted a standard. The Rules also define a business associate as a person or entity that performs functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. Examples of business associates can include a third-party billing or coding company, an attorney whose legal services to a health plan involve access to PHI, an independent medical transcriptionist, or an IT consultant.


The use and protection of PHI have evolved over time, from medical information used for treatments of specific ailments (prescriptions) being recorded on clay tablets in ancient Mesopotamia to medical data being recorded and stored in both paper and digital formats in the modern day, including wearable devices and mobile applications. In the early days of modern healthcare, patient records were often kept on paper and were accessible only to a limited number of people. These people were typically health professionals directly involved in the patient's medical care. Due to the nature of this format, important records such as a patient's medical history were easily lost or damaged.


Wearable technology are electronic devices that are worn close to the skin, including smartwatches, blood pressure monitors, sensors, and fitness trackers. These devices are used by approximately 30% of Americans. The data recorded by these wearable devices are only protected by HIPAA if they are an extension of a service provided by a covered entity and the data is exchanged between the covered entity and the wearable technology company. Due to this limitation, data tracked by devices such as smartwatches and fitness trackers, are not protected by HIPAA. Similarly, mobile applications used for monitoring sleep, weight loss, and family planning are not protected by HIPAA.

In 2022, the company Meta came under scrutiny due to the presence of their Meta Pixel code on the websites, patient portals, and appointment scheduling pages of health care providers. This code collects information such as button click data, information input into fields, and other user-specified data. Although this tracking is intended to improve the user experience of the website, the data collected and sent to Meta could contain the PHI of patients. The issue was that Meta was not a business associate of the covered entities from which they were collecting data and express consent from the patient had not been obtained.


In the 1960s, the Mayo Clinic was one of the first health systems to adopt electronic medical record systems. Initially, these systems were used only by the US government in partnership with health organizations and used only for billing and scheduling. Since then, the use of digital medical records has increased significantly. In 2009, the American Recovery and Reinvestment Act was a stimulus package enacted and established the Health Information Technology for Economic and Clinical Health (HITECH) Act. This act incentivized the use of technology as it relates to health information and the use of electronic health records by healthcare providers, requiring all public and private healthcare providers to use and demonstrate meaningful use of electronic medical records, and laying out financial incentives for organizations that comply and penalties for noncompliance. Along with the benefit of these mandates, including increased patient engagement in their own personal health and improved care, the potential for breaches of protected health information increased as patient data moved online. In 2022, over 50 million individuals were affected by a breach. The healthcare industry is one of the most targeted and costly when it comes to data breaches. According to IBM, the average cost of a data breach in 2022 was $10.1 million. These increasing costs of data breaches likely result in an increase of costs for goods and services for the consumer, with IBM finding that 60% of organizations studied raised their prices after a breach. As a result, robust security and rapid response post-data breach are of the utmost importance. An effective incident response plan increases the ability to detect and contain cyber breaches and decrease the time it takes to restore systems. Organizations with incident response teams and regularly tested incident response plans had an average cost of $2.66 million lower than organizations without. The HIPAA Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic PHI.


The use of PHI, particularly in electronic medical records or research studies, have been established as an integral part of our healthcare industry. The protections enacted by HIPAA offer benefits to consumers, including the right to access and request corrections to their medical records and limits on how health information can be used and shared with others. Benefits for healthcare professionals include providing a more accurate and effective way for healthcare professionals to create and access a patient's medical record. But, as with any technology, risks, and challenges can result due to its implementation, including security concerns, especially due to the centralized nature of the data. Upon the occurrence of a data breach, state laws, in addition to HIPAA, may apply regarding the notification requirements. Notification to affected individuals must be provided in a reasonable time frame, and due diligence must be exercised to notify those involved. Examples of the consequences of not doing so for an organization can include a loss or revenue, decline in market share, and financial penalties. The consequences for the individual who is the victim of a data breach can include identity fraud.

Share this:

Get breach assistance now.

After a cyber breach, you need a team ready to hit the ground running. We’re here for you 24/7/365. That’s our promise.

Our incident response project managers, data analytics experts, and review specialists are seasoned professionals who understand the magnitude of the situation your company is facing and the related expenses.We are here to ensure timely, accurate notification of affected parties.

CyTrex Cyber - Incident Response Service

CyTrex Cyber helps entities that need assistance managing a cybersecurity incident or that want to learn more about cyber breach management. Insurance carriers, law firms, businesses, government agencies, and educational institutions depend on us for cyber incident response support.

Privacy Policy

© 2023 CyTrex Cyber, Inc

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram