Page 310 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 310
Protection for personally identifiable information (PII)
drives privacy and confidentiality requirements for rules,
regulations, and legislation all over the world (especially in North
America and the European Union). NIST SP 800-122, Guide to
Protecting the Confidentiality of Personally Identifiable
Information (PII), provides more information on how to protect
PII. It is available from the NIST Special Publications (800 Series)
download page:
http://csrc.nist.gov/publications/PubsSPs.html
Protected Health Information
Protected health information (PHI) is any health-related information
that can be related to a specific person. In the United States, the
Health Insurance Portability and Accountability Act (HIPAA)
mandates the protection of PHI. HIPAA provides a more formal
definition of PHI:
Health information means any information, whether oral or
recorded in any form or medium, that—
(A) is created or received by a health care provider, health plan,
public health authority, employer, life insurer, school or university,
or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health
or condition of any individual, the provision of health care to an
individual, or the past, present, or future payment for the provision
of health care to an individual.
Some people think that only medical care providers such as doctors
and hospitals need to protect PHI. However, HIPAA defines PHI much
more broadly. Any employer that provides, or supplements, healthcare
policies collects and handles PHI. It’s very common for organizations
to provide or supplement healthcare policies, so HIPAA applies to a
large percentage of organizations in the United States (U.S.).
