medical information

Overview

Medical information, also called Protected Health Information (PHI) is a special class of information that contains details about an individual's health and identity.

Why are they asking this?

PHI is protected by special laws and regulations that specify the requirements for gathering, storing, transmitting, and disclosure of the information. This information is sensitive and requires additional controls for handling. Failure to protect the data in accordance with the regulations can result in penalties for the customer and the provider.

What do they expect?

Policies that address the special requirements of PHI protections and evidence that these are being followed may be requested. This may include reviewing data classification guidance, review of any service providers that a SaaS provider may be using, and design or engineering documents showing that the controls have been designed and implemented for PHI.

Have you entered into a BAA with all subcontractors who may have access to protected health information (PHI)?
Is client scoped data collected, accessed, transmitted, processed, disclosed, or retained that can be classified as Protected Health Information (PHI) or other higher healthcare classifications of privacy data under the U.S. Health Insurance Portability and Accountability Act (HIPAA)?
Does this system or application process, store, or transmit PHI (Protected Health Information)?
Is client scoped data collected, accessed, transmitted, processed, disclosed, or retained that can be classified as European Union covered Personal Data, or Sensitive Personal Data (e.g., genetic data, biometric data, health data)?
Can you describe the policies and procedures implemented to ensure that the use or disclosure of protected health information is limited to the minimum necessary?