Don’t Forget YOUR Data Deserves Protection, Too

by Mike Semel, Certified HIPAA Security Professional

I’ll never forget showing a business executive some partially redacted Social Security Numbers we found on his HR manager’s unencrypted desktop computer. He exclaimed, “THAT’S MY SOCIAL SECURITY NUMBER !!!” making it very clear to him why ALL his company’s data needed to be found and protected.

When it comes to cybersecurity and compliance, as a healthcare organization it’s easy to get sucked in to focusing on Protected Health Information (PHI) that is protected by HIPAA. Taking such a narrow view of data protection can leave you open to a breach of other sensitive information, including workforce data that includes your own Social Security Number, your salary, and other sensitive information. It makes sense to take a selfish view of data protection along with the laws, regulations, contracts, and insurance contract requirements with which your organization must comply. You also shouldn’t forget general business information that you don’t want shared with competitors or others within your own company.

To develop a comprehensive cybersecurity strategy, you first must know what requirements you face. Then you must find and protect ALL your data.

As a healthcare organization, you must comply with the HIPAA Security Rule that protects PHI. A new HIPAA law provides financial incentives if you implement the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).

Don’t make the mistake of only protecting PHI and ignoring your other data.

Consider all your data. Don’t forget the voice messages patients leave or the messages your workforce members leave for each other. Because these are likely to contain PHI, they must be encrypted and your phone vendor must meet all the requirements for HIPAA Business Associates.


HIPAA doesn’t protect employee information. If you are collecting information about your workforce members’ health, including injuries, COVID testing, diagnoses, quarantines, and vaccinations, those records are protected under the American Disability Act (ADA). This information must be kept confidential, including storing medical information separately from an employee’s general HR file.


Every state has a data breach law that protects Social Security Numbers and Driver’s License numbers. Many states also protect medical information, health plan ID’s, and biometrics.

You must need to know where all this data hides, including Downloads folders, Desktop folder, and Recycle Bins on local desktops and laptops.

State laws have breach notification requirements that can be as short as 15 days after discovering an incident. State laws exempt encrypted data from breach notification requirements.


I recently worked with a client that had signed over 30 contracts that included cybersecurity and incident notification requirements. Their IT department was shocked when we showed them what requirements had been filed away and not shared with them.

Health plans; federal, state, and local government agencies; clients/customers, and business partners now often include cyber requirements in their contracts. Don’t sign an agreement until you have reviewed the cyber and compliance requirements with your attorney and a cybersecurity expert, because it may include unreasonable processes and incident notification obligations. Don’t sign an agreement and just file it away. Be sure to share your contractual obligations with the departments that must follow them.


Separate from laws and regulations, if you accept credit cards you must comply with PCI-DSS. Depending on your business or your role, for example, an HR Director, you may also have ethical confidentiality requirements tied to your industry or certification.


If you have a cyber theft or cyber liability insurance policy, the answers you gave on your application could cause your insurance company to refuse to pay millions of dollars in claims. A California health care provider paid $ 9.1 million out-of-pocket when their $ 10 million cyber insurance policy wouldn’t pay off.

Answering ‘yes’ to “Do you encrypt your protected data?” means that ALL your protected data, not just the PHI you are thinking about, is ALWAYS encrypted. That includes your HR info. It also means voice messages on your computerized Voice over Internet Protocol (VoIP) phone service. And your emails. EVERYTHING.

If you file a claim with your insurance company and they find ANY protected data that isn’t encrypted, they may refuse to pay your claim.


You probably care a lot about data that isn’t protected by compliance requirements.

Do you want the public, everyone in your company, and your competitors to see your payroll, tax returns, job offer letters, contracts, customer lists, plans, merger and acquisition information, etc.?

What could the financial impact be if this information was in the wrong hands?

What would your life be like if your Social Security Number was used to steal your identity?

What would be the cost if you couldn’t recover your critical business data after a ransomware attack or other disaster?

Including all your data in your cybersecurity program is the smart way to protect your organization… and yourself.

Semel Consulting advises HIPAA Covered Entities, Business Associates, and Subcontractors to properly manage their HIPAA compliance.



Certified HIPAA Security Professional  |  Certified Security Compliance Specialist  |  Certified Business Continuity Professional  |  Certified Health IT Consultant

Certified HIPAA Administrator  |  Certified HIPAA Professional   |   CMMC-AB Registered Practitioner