electronic protected health information (ePHI)
What is electronic protected health information (ePHI)?
Electronic protected health information (ePHI) is protected health information that is produced, saved, transferred or received in an electronic form. In the United States, ePHI management and security is covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.
In the United States, PHI in the context of HIPAA refers to healthcare information about a patient that can identify them. PHI can be stored in paper or electronic form. The electronic form is known as ePHI.
Many types of electronically stored medical information are considered ePHI. The U.S. Department of Health and Human Services defines ePHI identifiers as the following data:
- Name.
- Address.
- Contact details, such as the following:
- Phone number.
- Fax number.
- Email address.
- Social Security number.
- Relevant dates directly related to an individual, including the following:
- Birthdate.
- Date of admission.
- Date of discharge.
- Date of death.
- Medical record numbers.
- Health insurance plan beneficiary number.
- Account number.
- Vehicle identifiers, e.g., license plate numbers.
- Certificate or license number.
- IP address.
- Device attributes.
- Digital identifiers, such as the following:
- Website URLs.
- Social media accounts.
- Biometric identifiers, such as the following:
- Fingerprints.
- Voiceprints.
- Full face photos.
- Other uniquely identifying characteristics or numbers.
Examples of ePHI records
All the following records contain ePHI that can be used to identify a patient:
- Laboratory reports and test results.
- Electronically stored appointments, e.g., appointments stored in a scheduling app.
- Electronically stored information about procedures performed by a healthcare provider.
- Electronically stored patient notes.
- E-prescriptions.
- Emails and phone records, i.e., communication between the patient and a healthcare provider.
- Bills.
- Digital scans, including X-rays and magnetic resonance imaging scans.
- Admissions and discharge records.
Why is ePHI collected?
Medical professionals and healthcare organizations, including doctors and hospitals, collect and store ePHI to identify patients and determine what kind of care they need. In doing so, they can design a safe and personalized care plan and deliver high-quality, cost-effective care in the most efficient manner. For instance, a referring provider may wish to share digital imaging results with a subspecialist for an e-consult to obtain a more precise diagnosis.
Health insurers and healthcare clearinghouses also collect ePHI in connection with billing, insurance coverage verification, claim assessment, reimbursements and similar transactions.
While conducting research with human subjects, such as clinical trials, researchers may also collect ePHI from study participants to better understand and analyze their results. For example, researchers who are investigating chronic conditions, like asthma or diabetes, might want to look at whether people who live in certain geographic areas are more likely to have these diseases. If this information is entered into the participant's electronic medical record or is used to deliver care through the study, such as evaluating an intervention, then it becomes ePHI.
In HIPAA documentation, any organization or corporation that directly handles ePHI is referred to as a covered entity (CE). A CE refers to healthcare providers, health plans and healthcare clearinghouses -- e.g., billing services, repricing companies, community health management information systems -- and it can be an organization or an individual.
A business associate (BA) is a third-party vendor or subcontractor that provides some service to a CE, such as data storage or software development. Both CEs and BAs can create and access PHI, as long as they have implemented the security safeguards mandated by the HIPAA Security Rule.
What is not considered ePHI?
Information that is not one of HIPAA's 18 identifiers or not used in connection with healthcare delivery is not considered to be ePHI. In addition, any information that is not collected or maintained by a CE or BA is not ePHI.
The following information is also not considered ePHI:
- Information in an individual's school or employment records.
- Health data that is stripped of any identifiers, also known as deidentified or anonymized data.
- Information stored in electronic media, e.g., apps or wearable devices, that is only accessed or shared by the person to whom that data belongs,
Where is ePHI stored?
A healthcare organization can store and access ePHI in many types of IT infrastructure and end-user devices:
- Computers.
- External hard drives.
- Digital storage systems.
- Magnetic tapes.
- Smartphones.
- Other portable devices.
EPHI can also be stored in the cloud, as long as the organization has a BA agreement in place and applies the same HIPAA-compliant security requirements to the ePHI that it applies to on-premises ePHI.
EPHI and HIPAA
All CEs and BAs that fall under the purview of HIPAA are required to protect ePHI by complying with the HIPAA Security Rule and HIPAA Privacy Rule. Noncompliance with either rule can result in civil or criminal penalties against the noncompliant organization or individual.
EPHI and HIPAA Security Rule
All CEs, including hospitals, doctors' offices and health insurance providers, must abide by HIPAA Security Rule guidelines when handling ePHI. This includes ePHI data at rest, as well as ePHI data in transit.
According to the HIPAA Security Rule, CEs must take reasonable steps to ensure the confidentiality, integrity and availability (CIA triad) of all ePHI they create, receive, maintain or transmit. This includes identifying and protecting against reasonably anticipated threats to the security or integrity of the information.
Because the healthcare marketplace is so diverse, the HIPAA Security Rule for ePHI is designed to be flexible and enable CEs to implement policies, procedures and technologies that are appropriate to the entity's size, capabilities and risk appetite. To help CEs plan appropriately, the rule specifies a series of administrative, physical and technical security procedures -- known as safeguards -- that CEs must implement to use to assure the CIA of ePHI.
Safeguards for ePHI security under HIPAA Security Rule
The HIPAA Security Rule specifies three categories of safeguards that CEs must implement to protect ePHI: administrative, physical and technical.
Administrative
- Implement measures to prevent, detect, contain and mitigate security violations.
- Identify and analyze potential risks to ePHI, and implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
- Designate a security official to be responsible for developing and implementing the organization's security policies and procedures.
- Implement policies and procedures to ensure appropriate access to ePHI.
- Implement measures to supervise workforce members who work with or access ePHI.
- Perform periodic assessments to determine how well the implemented security policies and procedures meet the requirements of the HIPAA Security Rule.
Physical
- Limit physical access to facilities, while still ensuring that authorized access is allowed.
- Implement policies and procedures that specify the proper use, transfer, removal and disposal of electronic media containing ePHI.
Technical
- Implement technical policies and procedures that allow only authorized persons to access ePHI.
- Implement hardware, software and/or procedural mechanisms to log and analyze activity in information systems that contain or use ePHI.
- Implement policies and procedures to prevent the improper alteration or destruction of ePHI.
- Implement technical security measures, such as encryption, to guard against unauthorized access to ePHI as it is being transmitted over an electronic network.
EPHI and HIPAA Privacy Rule
The HIPAA Privacy Rule requires organizations that conduct healthcare transactions electronically to take reasonable steps to limit the use and disclosure of PHI, including ePHI. Per this rule, they must implement appropriate measures to protect the privacy of PHI. The rule also sets several limits and conditions regarding the use and disclosure of PHI that may be made without an individual's authorization.
In addition, the rule clarifies the rights that individuals have over their own PHI, including the right to do the following:
- Examine and obtain a copy of their health records.
- Request correction of their health records.
- Direct a CE to transmit an electronic copy of their PHI to a third party.
HIPAA requires CEs to implement appropriate safeguards to protect ePHI throughout its lifecycle. See how to properly dispose of ePHI under HIPAA.