Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to Manage Users and Roles
Reports
Settings and Resources
Additional Resources
Glossary of TermsRabbitMQ LogsHow to Remove All RabbitMQ and Erlang Artifacts from Previous Installations (v13-v13.5)Service Task Type 10Can a Spirion Agent be set to run as "low priority"?Tips: How can I monitor pagefile usage during a scan?Tips: What are the Best Practices to Optimize Memory Usage During Scans?Tips: How does Despeckle interact with other OCR settings like Deskew?Tips: How to find the Outlook Folder GUIDs to use?Tips: How do I handle permission issues with Folder GUID scanning?Tips: What are common errors when Folder GUID permissions are insufficient?Tips: How to automate retrieving Folder GUIDs for multiple usersWhat permissions are needed for service accounts scanning GUIDs?What are the risks of scanning Email (Exchange) Public Folders in large organizations?Can I scan both Cached and Online Exchange Stores simultaneously?Tips: What are best practices for scanning large (Exchange) mailboxes?Tips: What are the Best Ways to Handle Duplicate Results from Scans of (Email) Public Folders?What are common mistakes when configuring Global Ignore Lists?Tips: How does scanning Online Archives affect scan duration?How can I optimize scan policies for Online Archives?What does a report for health information look like?How do I customize data types in the health information report?How do I test my custom RegEx before deployment?How to Install and Set Up the PostgreSQL ClientWhat Common File Types are Supported?Test Data for Local Spirion ClientWhat Version is My Spirion Sensitive Data Platform?What is Residual Data and Why is it Important?
FERPA
CCPA
CMMC
HIPAA
Release Notes
Reporting API
Customer Support Articles

What does a report for health information look like?

A Health Information (PHI/HIPAA) report in Spirion Sensitive Data Platform is designed to provide a comprehensive inventory of medical-related sensitive data to ensure compliance with regulations like HIPAA and HITECH.

Based on best practices and healthcare case studies a robust PHI report template should include the following sections and data points:

1. Executive Summary (The "Heat Map")

This section provides a high-level view for Risk Officers and Management.

  • Total PHI Findings: A count of all medical-related matches across the environment.
  • Risk by Department: A breakdown of where PHI is most concentrated (e.g., Billing, HR, Clinical Research).
  • Top Offenders: The specific endpoints or servers containing the highest volume of unprotected health data.

2. Core PHI Data Types (The "What")

Your template should specifically filter for and display these Spirion-defined Data Types:

  • Medical Record Numbers (MRN): Unique identifiers for patients.
  • Health Insurance Numbers: Policy and group IDs.
  • ICD-9 / ICD-10 Codes: International Classification of Diseases codes.
  • CPT Codes: Current Procedural Terminology codes.
  • Social Security Numbers (SSN): Often used as a secondary identifier in legacy health systems.
  • Patient Names & DOB: When found in proximity to medical codes.

3. Location & Context (The "Where")

This section helps IT and Security teams prioritize remediation.

  • Target Name: The server, endpoint, or cloud repository (for example, \\SharePoint\Clinical_Trials).
  • File Path / Mailbox: The exact location of the file or email.
  • File Type: Identifying if the data is in an Excel sheet (high risk), a scanned PDF (OCR match), or an email attachment.
  • Last Modified Date: Helps distinguish between active clinical data and stale, legacy archives.

4. Compliance & Remediation Status (The "Action")

This is the most important section for proving HIPAA compliance.

  • Classification Label: Shows if the file has been tagged as "Restricted" or "PHI."
  • Protection Status: Is the file encrypted, or is it "Unprotected"?
  • Remediation History: A log of actions taken (for example, "File Shredded," "Quarantined to Secure Server," or "Redacted").
  • False Positive Rate: A metric showing the accuracy of the scan to build trust with clinical staff.

Example Template Layout (Tabular View):

Target Name

File Path

Data Type Found

Match Count

Classification

Action Taken

MED-SRV-01

\Billing\2023_Claims.xlsx

ICD-10, MRN

450

Restricted

Quarantined

LAPTOP-JDOE

C:\Users\jdoe\Desktop\Notes.txt

SSN, Patient Name

12

Unlabeled

Shredded

O365-Archive

Inbox\Old_Patient_Records.msg

Insurance ID

85

Confidential

None (Pending)

Pro-Tip for Health Reports:

  • Use Proximity Searching: In your report configuration, prioritize results where a Patient Name is found within 50 characters of an MRN or ICD-10 code. This "Contextual PHI" is much higher risk than a random string of numbers.
  • Automate for Audits: Set this report to generate automatically every month and deliver it to your Privacy Officer. This creates a "defensible audit trail" required for HIPAA/HITRUST certifications.


Was this article helpful?

Powered by Product Fruits