PHI Defined
Protected Health Information (PHI) includes anything that links health status to an individual. Even a name + doctor appointment date is PHI.
HIPAA vs GDPR
HIPAA (US) focuses specifically on health data portability and privacy. GDPR (EU) is broader but has specific strictures for 'sensitive' health data.
Technical Safeguards
Encryption at rest and transit is mandatory. Access controls must be unique per user. Automatic logoff is required.
Admin Safeguards
You need training policies, risk management processes, and incident response plans. It's not just code; it's process.
Physical Safeguards
Servers must be secure (AWS/GCP offer HIPAA compliant zones). Device policies for employees accessing data are required.
Business Associate Agreements
If you use 3rd party vendors (cloud, analytics) for PHI, you must sign a BAA with them ensuring they also comply.
Audit Logs
Record every access to PHI. "Who viewed what, when?" This is crucial for forensic analysis during breaches and for compliance audits.