What is ePHI? Electronic Protected Health Information
If you work in an organization that is subject to HIPAA, then you have probably heard the terms “PHI” or “ePHI” but might not know exactly what they mean and what the differences between these two terms are. Protected Health Information, or PHI, is the information that HIPAA is designed to protect. When HIPAA was passed in the late 1990s, most of the information that was created and used during healthcare operations at this time was paper or oral. However, since then there has been tons of innovation in the healthcare industry which has led to more PHI being held in electronic form instead. This transition has required the HHS and the text of HIPAA to updated accordingly to now protect the health data of individuals in ways that are more applicable to its electronic form.
Defining ePHI
In order to define ePHI and establish its context within HIPAA and its regulations, lets start by defining PHI more broadly. PHI is any information that can identify an individual and is created, stored, used, or transmitted in the process of healthcare services being provided. PHI can include:
- The past, present, or future physical health or condition of an individual
- Healthcare services rendered to an individual
- Past, present, or future payment for the healthcare services rendered to an individual, along with any of the identifiers shown below.
We’ll explore it more down below, but ePHI is essentially just the electronic version of all things that are considered PHI. Contrary to a common misconception, PHI or ePHI is more than just a medical record but includes anything and everything that can identify a patient ranging from a photograph to their full name on a document.
Related: the 18 PHI identifiers.
When PHI is found in an electronic form, like a computer or a digital file, it is called electronic Protected Health Information or ePHI. This is PHI that is transferred, received, or simply saved in an electronic form. ePHI was first described in the HIPAA Security Rule and organizations were instructed to implement administrative, technical, and physical safeguards to ensure its sanctity and integrity. ePHI can be found in a couple of different forms whether it is shared via email or stored on a hard drive, computer, flash drive, disk, cloud hosting platform, or other.
HIPAA Security Rule and ePHI
It is important to point out that the HIPAA Privacy Rule specifically applies to each and every form of PHI that currently exists or will ever exist in the future. On the other hand, the Security Rule only applies to ePHI and does not apply to paper or oral versions of this same information. Since technological innovation has led to many covered entities, and business associates handling ePHI as a part of their operations, there was a need for a rule that dedicated guidance to this topic.
Themes of HIPAA Security Requirements
There are three key terms that are used to define and categorize the safeguards to ensure the confidentiality, integrity, and availability of ePHI within the HIPAA Security Rule. Let's define what each of these qualities mean in protecting the information.
Confidentiality
This is all about making sure that ePHI is only ever accessible to the people and systems that are authorized to have that access.
Integrity
Through all of its handling, it is important that the integrity of the ePHI is never destroyed or changed in any way that was not authorized.
Availability
Although a key component of the Security Rule is making sure that ePHI is safe and guarded as it should be, it is also equally important to ensure that this information is available and accessible when needed by those who need to access it in order to do their jobs.
Safeguard Requirements within the Security Rule
The Security Rule contains three types of required standards for implementation that all organizations must follow in order to protect ePHI. Each of these safeguards addresses a different important aspect of procedures that should be followed.
What are Administrative Safeguards?
Administrative Safeguards are policies and procedures that are implemented to protect the sanctity of ePHI and ensure compliance with the Security Rule. These requirements cover training and procedures for employees regardless of whether the employee has access to protected health information or not. Specifically these standards include the security management process, security personnel, information access management, and workforce training and security awareness.
What are Physical Safeguards?
Physical Safeguards are the policies and procedures for protecting PHI within electronic information systems, equipment, and the buildings they are housed in from unauthorized intrusion.These safeguards include access controls, workstation use and security procedures, and device and media controls.
What are Technical Safeguards?
The last type of safeguards are the technical controls. HIPAA defines technical safeguards as the policies and procedures that determine how technology protects ePHI as well as control access to that data. This can often be the most challenging regulation to understand and implement. These safeguards include access control, audit control, integrity controls, transmission security, and encryption.
Complying with the Security Rule & Protecting ePHI
When reading through the regulations and requirements for protecting ePHI and complying with the many rules of HIPAA. Luckily, there are HIPAA compliance solutions that have broken down all the vague and complicated law into simplistic step by step processes to make it as easy as possible for you. We founded Accountable for this exact purpose - we want to guide you through the process of achieving HIPAA compliance. We’ve held thousands of companies without a single audit so you can trust the platform to save you time and stress on your HIPAA compliance. Try our platform for free today!