Here is a review of what information is considered PHI from HHS.gov: Under the HIPAA Privacy Rule, protected health information (PHI) refers to individually identifiable health information. Individually identifiable health information is that which can be linked to a particular person
Specifically, this information can relate to:
- The individual's past, present or future physical or mental health or condition,
- The provision of health care to the individual, or,
- The past, present, or future payment for the provision of health care to the individual.
This is what was cited specifically in the WellPoint Settlement agreement:
(1) Beginning on October 23, 2009, until March 7, 2010, WellPoint did not adequately implement policies and procedures for authorizing access to ePHI maintained in its web-based application database consistent with the applicable requirements of the Security Rule.
(2) WellPoint did not perform an adequate technical evaluation in response to a software upgrade, an operational change affecting the security of ePHI maintained in its web-based application database that would establish the extent to which the configuration of the software providing authentication guards for its web-based application met the requirements of the Security Rule.
(3) Beginning on October 23, 2009, until March 7, 2010, WellPoint did not adequately implement technology to verify that a person or entity seeking access to ePHI maintained in its web-based application database is the one claimed.
(4) Beginning on October 23, 2009, until March 7, 2010, WellPoint impermissibly disclosed the ePHI, including the names, dates of birth, addresses, Social Security Numbers, telephone numbers and health information, of approximately 612,000 individuals whose ePHI was maintained in the web-based application database.
See full resolution here.
Now that we know what the government thinks the value of your sensitive information should be, I ask what you think is a fair amount exposure of ePHI information per person per day?