Category: Security Incidents PII and PHI

Avoid Security Incidents: Personally Identifiable Information (PII) and Protected Health Information (PHI)

ESRD Networks follow security policies and procedures, as required by the CMS, to protect patient information and prevent data security breaches. CMS defines a security breach as the loss of control; compromise; unauthorized disclosure, acquisition or access; or any situations in which persons other than authorized users–and for other than authorized purposes–have access or potential access to personally identifiable information, whether physical or electronic.

Data security breaches occur when Patient Identifiable Information (PII) or Protected Health Information(PHI) is inappropriately exposed.  Examples of data security breaches include sharing of  an individual’s Social Security number (PII) or clinical diagnosis (PHI), such as ESRD, with unauthorized individuals or systems. Data security breaches can include, but are not limited to, PII or PHI sent via email; left unattended on a desk, fax machine, printer; or visible on a computer monitor.

With the frequent use of the web-based ESRD data-collection system, CROWNWeb, the potential for security breaches is great.  It is essential for dialysis facilities to protect PII and PHI by implementing reasonable and appropriate physical and administrative safeguards for the processing and transmission of critical data.

 Helpful Tips:

  • Develop policies and procedures to ensure protection/secure transmission of PII and PHI.
  • Do not send PII or PHI data using “Internet” email.  Many dialysis organizations have an “Intranet,” which may provide a safe way to send patient information.
  • When emailing the Network, check to make sure no PII or PHI is included before you click “send.”
  • CMS has approved sending in emails CROWNWeb Unique Patient Identifiers (UPI). Use of the UPI to identify a patient when communicating with the ESRD Network is considered a best practice.

For CMS security resources, go to