Updated 11/21/2023
All ESRD Networks are required to follow CMS policy for handling security violations.
- CMS policy is different from policies at other organizations
- Corporate email policies do not apply outside of your organization.
- All facility emails and support Tickets that contain PHI/PII must be immediately reported to CMS.
PII: Personally Identifiable Information
- First Name
- Last Name
- Initials
- Date of Birth (DOB)
- Social Security Number (SSN)
- Medicare Beneficiary ID (MBI)
- Patient Address
PHI: Protected Health Information
- Any PII listed above in combination with any detailed specifics below:
- Lab results
- Behavioral concerns
- Treatment type/duration
-
Past, present, or future:
- physical or mental health conditions
- healthcare provided
- healthcare payment information
NOT PHI/PII: EQRS UPI
If you email or submit via ticket any PHI/PII to the Network you will be reported to CMS and you will need to complete the US Department of Health and Human Services Cybersecurity Awareness Training and provide a copy of the Certificate upon completion: https://www.hhs.gov/sites/default/files/hhs-etc/cybersecurity-awareness-training/index.html