PHI/PII & Preventing Security Violations

Modified on Tue, Nov 21, 2023 at 2:51 PM

Updated 11/21/2023

All ESRD Networks are required to follow CMS policy for handling security violations.

  • CMS policy is different from policies at other organizations
  • Corporate email policies do not apply outside of your organization.
  • All facility emails and support Tickets that contain PHI/PII must be immediately reported to CMS

PII: Personally Identifiable Information

  • First Name
  • Last Name
  • Initials
  • Date of Birth (DOB)
  • Social Security Number (SSN)
  • Medicare Beneficiary ID (MBI)
  • Patient Address


PHI: Protected Health Information

  • Any PII listed above in combination with any detailed specifics below:
  • Lab results
  • Behavioral concerns
  • Treatment type/duration
  • Past, present, or future: 
    • physical or mental health conditions
    • healthcare provided
    • healthcare payment information


If you email or submit via ticket any PHI/PII to the Network you will be reported to CMS and you will need to complete the US Department of Health and Human Services Cybersecurity Awareness Training and provide a copy of the Certificate upon completion: 

When contacting the ESRD Network: always include the UPI, never any PHI/PII !!

If you have any questions, please review resources here: 

  • HIPAA Training Materials: Link

    Health Information Privacy: Link

    Understanding Patient Safety Confidentiality: Link

    HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules: Guide 
    National Provider Identifier Standard (NPI): Link

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article