Management of PHI/PII

Healthcare providers collect an abundance of their patients' personally identifiable information and must ensure it is properly safeguarded.

Personally identifiable information (PII) and/or patient health information (PHI) is any information that can be used to distinguish or trace an individual's identity. Storing this information leads to an increased level of risk for organizations and proper safeguards need to be put in place to ensure that data is protected.


Many organizations receive significant amounts of PHI/PII data. These companies need to safeguard client information to maintain confidence and their brand. Additionally, PHI/PII management is a key component of many different compliances, including HIPAA.


When helping your company manage their PHI/PII, SecureState doesn't just work with your IT staff. We work with the whole business to find out what they need and why. We work with your organization's legal staff to handle any issues. Overall, we take a holistic approach to protecting PHI/PII data. We can set your company up to implement a solution, help you choose a third party, or handle the implementation ourselves. We also work with law firms and other partners and can bring in these outside experts if you need a specific opinion.

Detailed Approach

With many different organizations taking in PHI/PII, each company needs to manage and protect this data in order to preserve brand reputation and manage 3rd party risk. These companies typically have both contractual and regulatory obligations to protect this data.

To start out, SecureState will identify what PHI/PII is being stored and where it is being stored at your organization. We accomplish this through interviews and a data discovery assessment. At this stage, SecureState will also determine any regulatory requirements around that data.

Once we know where the data is and the applicable regulations, SecureState will perform business process mappings, determining where the data comes in and its point of origin. SecureState will examine how the data is processed, stored, and used, determining what departments use it. SecureState will then determine where the data flows outside of the company.

With a full understanding of the data and its flow, SecureState will identify the protections that should be placed on the data, such as network segmentation and isolation, proper logging and monitoring, proper backups, and processes to purge the data. SecureState identifies these protections using risk assessments, technical testing, and network architecture reviews.

Once your companies addresses these controls, SecureState can also help you build an actual program to make sure that the data remains secure and protected. Your company will need to adapt to changing regulations and any new devices added to your environment

Get Started!