HIPAA & Data Security

🔒 Protecting Sensitive Information

At ACSI, safeguarding sensitive data, including Protected Health Information (PHI), is critical to maintaining compliance with HIPAA (Health Insurance Portability and Accountability Act) and ensuring the security of client and company information. This policy outlines the best practices for handling, storing, and transmitting sensitive data to prevent unauthorized access or breaches.

📌 Understanding PHI & ePHI

What is PHI?

Protected Health Information (PHI) includes any individually identifiable health information that is created, used, or disclosed while providing healthcare services. Examples include:

• Patient names, addresses, and phone numbers

• Medical records, diagnoses, and treatment information

• Insurance details, billing information, and Social Security numbers

• Any health-related data linked to an individual

What is ePHI?

Electronic Protected Health Information (ePHI) refers to any PHI stored, transmitted, or processed electronically. This includes:

• Electronic medical records (EMRs)

• Emails containing health data

• Stored patient information in databases or cloud services

• Digital medical imaging and scanned documents

💡 Key Takeaway: Any PHI or ePHI must be secured, encrypted, and accessed only by authorized personnel.

📌 Key Data Security Principles

1️⃣ Access Control & Authentication

• Employees are granted access to sensitive data only on a need-to-know basis.

• Multi-Factor Authentication (MFA) is required for accessing critical systems.

• All workstations and devices must be locked when unattended.

• Role-based access control (RBAC) is implemented to limit exposure to sensitive information.

2️⃣ Password Protection

• Strong passwords are required (minimum 8 characters, mix of upper/lowercase letters, numbers, and symbols).

• Passwords must not be shared, written down, or stored in insecure locations.

• Employees must change their passwords immediately if compromised.

• Regular password updates are required for continued security.

3️⃣ Data Handling & Transmission

• PHI must never be shared via unencrypted emails or insecure messaging platforms.

• Files containing sensitive information should be stored in designated secure systems.

• Encryption must be used when transmitting sensitive data via email, cloud storage, or external media.

• USB drives and external storage devices should not contain PHI unless properly encrypted.

4️⃣ Device & Network Security

• Only authorized devices may be used to access company systems.

• Employees must avoid connecting to public Wi-Fi when handling sensitive information.

• Company devices must be updated regularly with security patches and antivirus software.

• Remote access to company data must be done using secure VPNs.

5️⃣ Physical Security Measures

• Printed documents containing PHI must be stored in locked cabinets.

• Shred any PHI documents before disposal.

• Restrict unauthorized personnel from areas where PHI is stored or accessed.

• Workstations should have privacy screens to prevent unauthorized viewing of ePHI.

6️⃣ Reporting Security Incidents

• Any suspected or confirmed data breach, unauthorized access, or loss of PHI must be reported immediately to the Compliance Team.

• Employees should use the Incident Report Form or contact compliance@goacsi.com.

• Failure to report a security incident could result in disciplinary action.

🚨 Consequences of Non-Compliance

Failure to follow HIPAA and data security policies may result in: ❌ Disciplinary action (including termination for severe violations). ❌ Legal and financial penalties for the company and responsible individuals. ❌ Reputational damage to ACSI and potential loss of client trust. ❌ Federal penalties for HIPAA violations, which can range from fines to criminal charges.

🛡️ How We Ensure Compliance

✅ Regular HIPAA compliance training for all employees. ✅ Security audits and spot checks to prevent data mishandling. ✅ Implementation of industry-standard data protection protocols. ✅ Ongoing monitoring and threat detection to safeguard company systems. ✅ Annual HIPAA risk assessments to identify and mitigate potential security threats.