Considerations for Sensitive PHI (SPHI)

As part of the request to use EDSP services, projects must assess whether the data from the service involves legally guarded patient information. If such data is to be consumed or processed by the project, the plan to protect that data must be included in the request. In addition, Mass General Brigham standards for maintaining data security must be addressed. Specifically:

Is PHI is included in the data provided? Will the project use any of that PHI? If so, what process will be used to insure that the proposed uses of the data meet the Minimum Necessary Standard?
Is SPHI included in the data provided by the requested service(s)? Will the project use any of that SPHI? If so, specifically what SPHI will be used?
Will authorization of the users of the project be managed via PHS Domain Accounts? If not, what method is used to grant and manage authorization for the project?
Will access to and activity within the project be audited? If not, why? If auditing is in place, where are the records stored? Who monitors the audit records? What data do the audit records contain?
Will the data be stored locally?
Will the data be shared with an entity outside of Mass General Brigham? If so, has the project obtained a CyberSecurity Risk Management Assessment?
If a third-party vendor is involved in the request, is there an active BAA in place for the project?
For applications, will text or email messages be generated? Who will be the recipients? What information will the message(s) contain?

Things to know

Protected Health Information (PHI) definition from Policy Central
Use and Disclosure of PHI PH-102 from Policy Central, includes a list of sensitive PHI categories