Message From the DON CIO: Keeping PII and PHI Secure
By Terry Halvorsen - Published, May 17, 2012
As a department, we like to save our data and records -- to ensure we will have a historical record or to meet a regulatory requirement. And indeed, many of the Department's business processes require the legitimate use of sensitive information. However, there are cases in which personally identifiable information (PII) or protected health information (PHI) should not be used, maintained or collected.
When looking at any piece of PII or PHI, it is important to ask the following questions:
- Is the data needed to perform the mission?
- Do I have the authority to collect it?
- Is it properly protected?
- Is it possible to determine who is collecting the information and who it is being shared with?
- Is it possible for the data to be corrected if necessary?
If the answer to the first question is no, then it is important that the proper steps are taken to eliminate the data. If the answer to the first question is yes, then steps must be taken to ensure all the other responses are also yes.
PII and PHI should only be saved for specific mission requirements, by specific organizations, for a specific purpose and with specific safeguards. A specific mission requirement insists that the user has a specific action that is dependent on that piece of data. Convenience is not a valid excuse for the use of sensitive PII. Also, DON policy prohibits storage of PII on any personal electronic storage device, including laptops and cell phones/personal digital assistants. Any person or organization that does not meet basic data safeguard requirements may be breaking the law and is putting the individual, organization and the department at risk if a PII/PHI breach occurs.
As Under Secretary of the Navy Robert Work stated in the memo, "Safeguarding Personally Identifiable Information (PII)," "Our Sailors, Marines, and civilians, along with their dependents, expect us to keep their PII safe, and it is our charge to ensure that all systems and processes we employ adequately safeguard this information. We cannot tolerate the continued loss of this data as it directly impacts the morale, security, and financial well-being of our personnel."
PII and PHI are defined as follows:
The Office of Management and Budget (OMB) defines PII as any information about an individual maintained by an agency, including but not limited to, education, financial transactions, medical history, and criminal or employment history and information that can be used to distinguish or trace an individual's identity, such as his or her name, SSN, date and place of birth, mother's maiden name, biometric records, etc., including any other personal information that is linked or linkable to an individual.
Under the Health Insurance Portability and Accountability Act (HIPAA), PHI is any information in a medical record that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.
Federal privacy laws require agencies to "establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of records to protect against any anticipated threats or hazards to their security or integrity." The loss or compromise of PII can lead to identity theft and fraud, which directly impacts department personnel, contractors, retirees and their dependents. Safeguards must be applied to IT systems, shared drives, computer networks, email, paper records and websites to prevent unauthorized access. Careful management of this sensitive data will prevent potential PII breaches in the future. A key reference in managing records review and disposal is the Department of the Navy Records Management Manual (SECNAV M-5210.1).
When you require a specific piece of PII or PHI, it is important that you use the authoritative source data. For instance, BUMED should be the authoritative data source for medical data and each request should be a unique pull from this database. By using original pulls from the authoritative source, you ensure that the data is current and does not create duplicate data with various updates being used as truth.
In addition to the inherent risks associated with inappropriate storage of this type of data, there are also the inefficiencies and costs related to keeping this unnecessary data. Data explosion is one of the biggest issues facing IT today. The amount of data that organizations store has grown exponentially in the past 10 years. According to Gartner, data capacity in enterprises grows on average 40 percent to 60 percent each year. Department personnel must ensure that the only information stored is truly needed, especially when it involves PII or PHI. With these types of data, the risks to personnel and to the department are just far too great.
View valuable tips for managing a PII records disposal program at: www.doncio.navy.mil/ContentView.aspx?id=906 and http://dpclo.defense.gov.
To contact a privacy subject matter expert, please submit a request via Ask An Expert. Be sure to select the privacy topic area.
View more messages from the DON CIO.