To All Articles

Are You Using Excel for Storing and Sharing e-PHI Data?


Published on December 18, 2018
Photo by AbsolutVision (

For decades, patient health information has been both the heart of every healthcare entity and one of its most vulnerable areas.

As discussed in our HIPAA for startups article, the goal of HIPAA was to protect patient privacy by keeping protected health information (PHI) private and secure. PHI and e-PHI must be protected from unauthorized access and breach. But preventing data breaches and unauthorized access to stored information is not as easy as it sounds.

The Need for an IT Expert

According to the Office for Civil Rights (OCR) breach database, a lot of reported breaches are a result of stolen or lost laptop, mobile, or other portable devices. It pressures healthcare entities to become more aware of the fact that a properly executed cloud solution can help to solve the issue of securing these devices.

And this is where IT service providers come into play.

Cyber-attacks on an organization’s software are one of the main reasons why HIPAA and privacy regulations were implemented in the healthcare sector. An IT specialist can make sure that software storing and transmitting PHI on your entity’s behalf is HIPAA compliant. To protect all electronic devices (hardware) of your organization, they need to assess physical storage and security vulnerabilities.

Data Storage and Encryption

Since an increasing number of patient e-PHI is hosted on an organization’s cloud system, every health care entity needs to obey several data encryption policies.

HIPAA covered entities and business associates must carefully examine specific provisions and policies of their cloud provider before using the service for PHI. Some cloud services don’t provide a business associate agreement, others don’t encrypt data both at rest and in transit, and some services are not HIPAA compliant out-of-the-box but can be custom configured.

At the end of the day, it is your responsibility as a covered entity or business associate to follow all the regulations and choose the service that will secure you from violating HIPAA policies.

Microsoft Excel

According to Microsoft, their services are not officially certified for HIPAA or HITECH yet. However, Office 365 is verified to meet the requirements of the Health Insurance Portability and Accountability Act Business Associate Agreement (HIPAA BAA).

Microsoft Excel, one of the applications included in Office 365, is still commonly used for creating spreadsheets and databases that contain e-PHI even though its ways to protect e-PHI are limited.

When using Microsoft Excel, keep in mind:

1.     Excel data is easy to lose or corrupt.

2.     If several people have access to an Excel file, it does not meet HIPAA requirements because it cannot create a unique authentication login and password. This is important as there is no way to limit access through authorization and it is hard to maintain an audit trail created by event logging.

To stay HIPAA compliant while using Excel for storing and sharing data containing e-PHI, you will need to:

1.     Maintain an access log to document the access for all your staff.

2.     Maintain a change management log that includes information like an individual’s name, time and date of access, and a reason for access (entering new data or modifying existing data, exporting or importing data, and deleting or backing up data).

3.     Enable a password-protected screensaver.

And again, using Microsoft services will not on its own make your records HIPAA compliant. Your organization is the one responsible for ensuring that you have an adequate compliance program and internal processes in place and that your use of Microsoft services aligns with HIPAA regulations.

We Can Help

Itirra’s experts are more than happy to help you keep excel data records HIPAA compliant.

But to make your life a bit easier, we would rather help your organization maintain your HIPAA compliant status by providing you with a tailor-made solution that helps to secure any vulnerable information you may have. We can offer you a centralized cloud solution with full access control and audit logs no matter what device your employees use.

A custom-made solution will:

1. Make an account configured in a way that prevents e-PHI files from being shared with anyone outside your organization.

2. Help you customize your settings and choose an appropriate user access level by easily adding, removing, and reviewing it.

3. Assist you in monitoring any updates to your encrypted files. These include saving, modifying, or deleting. When any of these actions happen, you will be able to see what was done and the details of a person behind it.

4. If needed, provide you with reports that detail your team’s sharing, authentication, and administrator activities. We recommend AWS cloud. However, if you prefer Microsoft Azure, Google Cloud, or something else, we are willing to help your software development team with any related questions.

To find out more or to discuss how a straightforward solution can grow your business and improve the safety of your data, contact us today or arrange a meeting with Michael.