Handling PII and PHI¶
This topic covers what you need to consider to protect any PII or PHI that is in your Rebus database, whether it’s imported from the WMS, through custom data entry or through the Labor Module’s auxiliary functions.
Identifying PII and PHI¶
PII is information that can be used to identify an individual and sensitive information that can be linked to an individual. Some examples include:
Full Name
Birthday and birth place
Medical and health information
Personal characteristics such as biometric data.
Any type of identification number.
In general, two or more pieces of information are needed to make it PII. A name by itself can’t be traced to a specific person, but when combined with something else like address, health information, or an ID number, it becomes PII. PHI is PII that contains health information.
Best Practices for Protecting PII and PHI¶
If your Rebus database has PII or PHI, you should consider the following:
How can you minimize the use, collection, and retention of PII? If it’s not kept it can’t be compromised.
Are your employees trained on how to recognize and handle PII and PHI?
Who needs access to PII and PHI as part of their job?
How can you restrict access to PII and PHI to only authorized employees?
Do you have a process to identify and keep track of the PII and PHI you keep?
For more information on Protecting PII …¶
The National Institue of Standards and Technology (NIST) has published Special Publication (SP) 800-122 . It describes many specific safeguards that organizations can implement to protect PII.
Handling PHI¶
If you are storing PHI in Rebus, you need to consider the requirements of the Health Insurance Portability and Accountability Act (HIPAA).
Here are some high level HIPAA requirements:
PHI data must be encrypted at rest and in transit.
Note
Data on the Rebus database and Labor Module are encrypted at rest and in transit.
Need a process that allows people access to their PHI upon request and to challenge its accuracy.
Need consent of the person to have this data stored by a third party.
Ensure that this data cannot be accessed by people who don’t need to see it for their jobs.
You can review the details of HIPAA through this document provided on the HHS website.
Restricting Access to PII in Rebus¶
After you’ve identified the employees who are authorized to view PII and PHI, you can use the following functionalities to restrict access.