Understanding What’s at Stake for Your Small Health Care Organization
When you're running a small hospital, clinic, or long-term care facility, staying on top of regulations like HIPAA can feel overwhelming. But one piece you absolutely have to understand is Protected Health Information (PHI)—what it is, how it’s used, and why securing it is non-negotiable.
At visuaFUSION Systems Solutions, we help support small health care organizations in aligning their IT practices with HIPAA’s expectations. We don’t make guarantees of “compliance” (no one legitimately can), but we do work alongside you to get your systems secure and your people thinking in the right direction.
What Counts as PHI?
According to federal regulation (45 CFR § 160.103), PHI is individually identifiable health information that’s stored or transmitted in any form—electronic, paper, or even spoken—and is handled by a covered entity or their business associate. That includes:
-
Information about someone’s physical or mental health
-
Any health care services they receive
-
Payment or insurance data tied to care
As soon as this kind of info is connected to a specific person—whether through name, date of birth, ID number, or even ZIP code—it becomes PHI.
The 18 PHI Identifiers You Need to Watch
HIPAA outlines 18 specific identifiers that, when connected to health information, make that information “protected” under federal law (45 CFR § 164.514(b)(2)(i)). Here's the full list:
-
Names
-
All geographic subdivisions smaller than a state (e.g., street address, city, county, ZIP code—except for the initial three digits in certain cases)
-
All elements of dates directly related to an individual (except year), including birth date, admission and discharge dates, and date of death
-
Telephone numbers
-
Fax numbers
-
Email addresses
-
Social Security numbers
-
Medical record numbers
-
Health plan beneficiary numbers
-
Account numbers
-
Certificate or license numbers
-
Vehicle identifiers and serial numbers, including license plate numbers
-
Device identifiers and serial numbers
-
Web URLs
-
Internet Protocol (IP) addresses
-
Biometric identifiers, including finger and voice prints
-
Full-face photographs and comparable images
-
Any other unique identifying number, characteristic, or code
If your systems store or transmit health information with any one of these identifiers, that data must be secured according to HIPAA requirements.
Overlooked PHI Risks You Need to Know About
1. Screenshots and Local Storage
Many organizations overlook the fact that screenshots—even those saved casually—can contain PHI. If a staff member snaps a shot of an EHR screen and saves it to their desktop or cloud drive, that image is now PHI. The safest route is to assume that every computer on your network might contain PHI.
That’s why it’s critical to:
-
Encrypt all workstations
-
Require unique Windows logins (no shared accounts)
-
Set up screen timeouts and audit logging
These practices are in line with HIPAA Security Rule standards, particularly access control (45 CFR § 164.312(a)(1)) and audit controls (45 CFR § 164.312(b)).
2. Security Camera Footage Can Be PHI (And Often Is)
Here’s one example many organizations overlook: security camera footage. If your system records patients in lobbies, exam rooms, or even hallways—anywhere their full-face image or health-related activity can be captured—that footage is subject to HIPAA.
Why? Because “full-face photographs and comparable images” are one of the 18 PHI identifiers. If that image is linked to health care interactions, such as arrival for treatment, the video becomes PHI.
What this means for your organization:
-
The storage system for that footage must meet HIPAA’s standards for access control, encryption, and audit logging
-
Any vendor installing, maintaining, or hosting the system must sign a Business Associate Agreement (BAA)
-
You must enforce unique user logins to access camera footage—just like with your EHR
Security footage isn’t just for physical security anymore—it’s part of your health care data ecosystem.
ePHI and the Security Rule
When PHI is stored or transmitted electronically (ePHI), it’s covered by the HIPAA Security Rule (45 CFR Part 164, Subpart C). That means your IT systems must meet specific standards, including:
-
Encryption (in transit and at rest)
-
Role-based access control
-
Risk analysis and documentation
-
Audit trails and incident response
Using email, cloud services, VoIP phones, or mobile apps? Those fall under the Security Rule too.
One More Thing: De-Identification
PHI can be “de-identified” by removing all 18 identifiers or applying statistical methods that ensure the data can’t be linked back to an individual (45 CFR § 164.514). Once that’s done properly, it’s no longer regulated by HIPAA—making it safer for training, analytics, or research.
We're Here to Help—Not to Certify
At visuaFUSION Systems Solutions, we don’t offer “HIPAA certifications” or make blanket guarantees about compliance. What we do offer is real, practical IT guidance built to help small health care organizations like yours meet HIPAA expectations.
From email encryption, systems backups, environment design and management planning, to fully managed IT (done a little differently to save you even more), we’ll work side by side with your team to put the right controls in place—without overcomplicating it.
Need a clear path forward? Let's talk. Whether you’re just starting to untangle HIPAA or need to shore up your current setup, we’re here to help you move with confidence.
Book a call today
- Log in to post comments