Providing services for healthcare brings many complexities, and risk management professionals need to consider this seriously. However, issues such as accreditation or licensing standards, regulations and third-party requirements can be mitigated with the introduction of formal policies and procedures for hospital information security infrastructure. These policies and procedures help promote safe and good quality care for patients, workplace safety, compliance to regulations, and, most of all, uniformity of healthcare practices across the hospital network.

It is important for managers to draft and update policies and procedures despite other top-priority areas such as patient care, etc. Delaying them can result in harmful consequences, as a staff member may follow an outdated policy that is no longer applicable to the hospital or may disregard the outdated policy resulting in patient harm or claim of malpractice.

Purpose of Policies and Procedures

So what purpose do policies and procedures serve? Formally written policies and procedures help achieve the following purposes for hospital security:

  • Observe recognized professional practices.
  • Ensure compliance with health regulations and standards, such as HIPAA, CMS conditions of participation, etc.
  • Create standard system for practices in a single health unit.
  • Provide knowledge to staff, particularly new employees, on how various functions are carried out.
  • Reduce the chances of human error by providing documented guidelines rather than relying on memory.

Policies and Procedures for IT Security

In terms of hospital IT security, hospitals need to implement strict policies and procedures to keep their networks secure, maintain secure transmission of data, and protect the confidential records of their patients. All 42 HIPAA safeguards need to be addressed in this regard. Developing such policies and procedures and conducting real-time monitoring and audit of security practices ensures the security of the hospital’s IT environment.

It is important to allocate resources effectively and manage the IT environment proactively in order to curb ever-evolving threats and changing regulations. This can be achieved by managing strict access control, employee orientation and regular trainings, and the identification of staff, visitors and patients according to industry regulations.

Let us look at three important aspects of hospital security in general and IT security in particular that are addressed by such policies and procedures.

Access Control

Access control is the means by which access to people such as patients, visitors, and staff is granted or denied throughout the healthcare facility and access to its IT assets. These areas include, but are not limited to, maternity wards, pediatric department, emergency, intensive care unit ICU, pharmacy, etc.

Video Surveillance

Video surveillance cameras in the past mostly consisted of time lapse recorders or video cassettes that made it difficult and time-consuming for the staff to identify certain incidents or events. With improved technology, cameras now have embedded processors and videos can be compressed and transmitted over IP networks in real time. This concept of having the ability to view and record any activity at any time from any location has fundamentally helped healthcare facilities to optimize their security with video surveillance.

Staff, Patient and Asset Tracking 

Regardless of which facility your patients are admitted in, it is critically important to provide them safety and protection. With the help of technology, security professionals and concerned staff can now identify, track and locate patients to provide safeguard against patient abduction or elopement.

Protected Health Information (PHI) and Personally Identifiable Information (PII)

What is protected health information (PHI)?

Protected health information, also known as personal health information, is information such as medical history, patient demographics, laboratory and test results, insurance information, and any other important information about the patient that helps a healthcare professional in identification and appropriate treatment.

According to the Health Insurance Portability and Accountability Act (HIPAA), healthcare institutions and insurance companies are not allowed to share or sell PHI data except for the use of treatment research, public health activity, service rendered, or the acquisition or merger of an HIPAA-covered entity.

PHI data that is no longer required needs to be disposed of properly so as to make it completely unreadable. Data on paper needs to be shredded or made unable for reconstruction. PHI data on electronic systems should be totally eradicated and erased with the help of software tools.

It is important to point that PHI is different from the personal health record (PHR), which is maintained and updated by the patient using software tools such as Apple Health, Samsung S Health or Microsoft HealthVault.

What is personally identifiable information (PII)?

Personally identifiable information is any information that can help in identifying, contacting, or locating an individual. It includes all information that relates to a certain individual such as their medical, financial, employment, or medical record.

Data elements that help identify an individual are name, biometric data, email address, telephone number, etc. It is the responsibility of the hospital and its workforce to protect the PII of patients. No matter what role a member of the workforce has, they should be aware of their responsibility to safeguard PII data at all costs.

HIPAA restricts authorities to inappropriately share PII and has strict requirements to protect such information. This is because PII can be exploited by malicious criminals to steal an individual’s identity and commit crimes in their name. Identity theft causes financial and emotional damage to the victims and can also have dire consequences for liable organizations resulting in damaged reputation. Many governments are now passing legislations in favor of limiting the distribution of Personally Identifiable Information.

Implementing Security Best Practices for PII

All stored data has the potential to be compromised and is vulnerable. The best way to reduce and overcome the vulnerability is to collect the least required data and remove any unnecessary collected PII from the record. Wherever possible, de-identify the data by making patient feedback anonymous or tokenizing the information. This will help remove the data from the scope of HIPAA.

Implementing access control also ensures that sensitive information such as PII is only accessible by authorized individuals who need it to carry out their routine job duties. Unauthorized staff need not access such information.

Encryption of all sensitive information should be ensured when transferred across online networks. Encrypted cloud storage and HIPAA-compliant email will not let hackers decipher PII, even if they may intercept it.

Difference between PHI and PII

Protected health information (PHI) and personally identifiable information mainly differ in terms of their data sets. The difference can better be explained with a side-by-side comparison table. The following outline below will help us understand and classify the two types of information.

Protected Health Information (PHI)

Health information for identifying an individual receiving health care.

Includes 18 personal identifiers according to OHRPP Guidance and Procedures OF HIPAA. These are:

  • Name
  • Street Address
  • All elements of dates except year
  • Telephone Number
  • Fax Number
  • Email Address
  • URL Address
  • IP Address
  • Social Security Number
  • Account Number
  • Licence Number
  • Medical Record Number
  • Health Plan Beneficiary Number
  • Device identifiers and their serial numbers
  • Vehicle identifiers and serial number
  • Biometric identifiers (finger and voice prints)
  • Any other unique identifying number, code, or characteristic
  • Full-face photos and other comparable images

Personally Identifiable Information 

General information about an individual, not particularly health related,that helps in determining the identity of an individual and provides their personal information.

PII includes, but is not limited to, the following information:

  • Full Name
  • Personal identification number such as passport, patient identification number, social security number, driver’s license, bank account, credit card number, etc.
  • Postal address or Email address
  • Telephone Number
  • Personal characteristics such as photograph or biometric data, including fingerprints, retina scan, etc.
  • Personal property or assets information, such as vehicle registration number, etc.
  • Information linked to the individual, such as date of birth, religion, place of birth, medical history, education, employment, etc.

These pieces of information may seem harmless in individual bits, but when combined they can result in compromising an identity.

Guidelines to Follow when Developing Policies and Procedures

  • Define all terms mentioned in the policy: If you do not define the terms, they can be misunderstood by your staff or any other stakeholders. It is advisable to put them at the start of the policy.
  • Avoid the use of superlative adjectives such as safest, highest, etc. It can allow a petitioner to allege that the hospital promised a certain outcome.
  • Select easy and recognizable names for the policies so that they are easier for hospital staff to access.
  • Gather and combine separate policies that belong to the same subject and develop a single policy. Create a table of contents so that lengthy policies are easier to read for the staff. For example, there should be a single Emergency Medical Treatment and Labor Act (EMTALA) policy for all aspects associated with EMTALA.
  • Always use the active voice when writing action steps or a procedure and avoid the use of passive voice. For example, “Discard the syringe after use” is better than “the syringe should be discarded after use.”
  • When writing action steps in a policy or procedure, always assign the role and responsibility for each action step and do not leave it as implied.
  • When approving a set of policy documents, the approving authority should sign off on each policy individually rather than signing a cover sheet for the entire policy set so that approval for each policy is clear. In case of electronic documents, follow the same practice, as every policy exists individually.
  • Always develop a document control record and note down date of origin of the policy and all other policy review dates along with their versions.
  • Number the pages and put the policy title and version on the header of every page.
  • Mention any state laws or security frameworks that the policy is based upon, along with possible URLs as references.
  • Make a list of references at the end of the policy document to show the relevant resources referred to while writing the document. This approach has its advantages as well as disadvantages. The advantages are that it allows readers to consult a professional source in case they need more information and also demonstrates the development of the policy on the basis of professional guidelines. The disadvantages are that it can cause trouble for the organization if its policy omits some part of the guideline or if, in the case of updated guidelines, the organization fails to update its policy.
  • Avoid going far and beyond the “standard guidelines” when devising a policy.

Be Safe

Section Guide


View more articles from Tahshina

Infosec IQ awareness and training empowers your employees with the knowledge and skills to stay cybersecure at work and at home. Teach employees to outsmart cyberthreats with over 2,000 awareness resources and phishing simulations.

Section Guide


View more articles from Tahshina