Contents
If you are associated with an organization subject to HIPAA (Health Insurance Portability and Accountability Act), chances are that you’ve often come across the terms PHI and ePHI. But what exactly are they, and is there a difference between them? And how do you define what should be considered PHI/ePHI? These will be the focus questions of this blog.
What is PHI?
As defined by HIPAA, PHI (Protected Health Information) is considered to be “any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity.” HIPAA-covered entities usually include healthcare providers, insurance providers, or business associates of a HIPAA-covered entity.
Moreover, any sort of data or information related to your health is considered PHI. These can include test results, medical history, and personal information like your name or social security number. These personal identifiers must be kept confidential according to HIPAA Privacy Rules.
There are 18 specific patient identifiers. Some of them include:
- Names
- Dates, except the year
- Telephone numbers
- Geographic data
- Fax numbers
- Social Security numbers
- Email addresses
- Medical record numbers
- Account numbers, etc.
What is ePHI?
ePHI, which stands for Electronic Protected Health Information, is PHI that is stored, created, or transmitted electronically. ePHI was first defined in the HIPAA Security Rule, and organizations were instructed to implement novel safeguards to protect the data and ensure its integrity.
ePHI can be found in a variety of digital forms, such as systems that operate with a cloud database, patient data shared via email, or patient data stored on a hard disk, computer, or flash disk. ePHI needs constantly updated protocols to be safeguarded from cyber attackers and breaches.
Some Exceptions of PHI and ePHI
There is some information that does not fall under PHI or ePHI but is equally important. To understand what falls under PHI/ePHI, use the following guidelines:
- Who recorded the information? Self-recorded information on smart wearables or apps typically does not fall under HIPAA unless connected to a healthcare provider or insurance plan.
- Is the data part of your educational or employment records? These are not covered under HIPAA. Your employer could keep a record of your information, but they will not be recognized as PHI.
- Does the information contain personal identifiers? If not, then it will not be recognized at PHI or ePHI. Such data is usually used for scenarios such as population health research.
HIPAA Compliance Requirements for PHI and ePHI
HIPAA compliance focuses on protecting PHI and ePHI through the Privacy Rule (governing use and disclosure) and the Security Rule (ensuring data protection).
Key Safeguards
- Administrative: Policies, risk assessments, workforce training, and contingency plans.
- Physical: Securing access to facilities and devices storing PHI.
- Technical: Encryption, access controls, and audit trails for ePHI security.
Non-Compliance Penalties
- Fines range from $141 to $2,134,831 per violation along with potential reputational and legal risks.
- Regular audits are crucial to maintaining compliance and identifying vulnerabilities.
Real- World Examples
Here are two real-world examples of PHI and ePHI breaches:
1. TridentCare Data Breach (2022)
In June 2022, TridentCare, a Maryland-based mobile clinical services provider, reported that the personal and protected health information of approximately 6,200 patients and their guarantors may have been accessed by unauthorized individuals during a break-in at its facilities. The compromised data included names, dates of birth, and, for some individuals, Social Security numbers. The information was stored on physical hard drives within the facility.
2. AccuDoc Solutions, Inc. Security Incident (2018)
In September 2018, AccuDoc Solutions, Inc., a business associate providing billing and collection services, discovered that an unauthorized user had gained access to a web server containing electronically protected health information for seven of its covered entity clients. This incident potentially exposed the ePHI of approximately 2.65 million individuals. While no data exfiltration was confirmed, the exposure risk called for significant corrective actions.
These incidents highlight the importance of implementing strong security measures to protect both physical and electronic forms of protected health information.
Why Choose Intone to Protect Your ePHI?
Healthcare data breaches are one of the major causes of financial losses and the leak of sensitive personal and healthcare information. PHI and ePHI are prime targets for cyberattacks, with a 2019 HIPAA study revealing that 41.2 million patient records were compromised in 505 breaches. Such incidents can damage reputations and lead to heavy government penalties. IntoneSwift helps safeguard ePHI with strict cyber risk strategies, offering services like penetration testing, vulnerability assessments, web application security, data analytics and integration. Our solutions consist of advanced cybersecurity infrastructure with firewalls and intrusion prevention, regulatory compliance solutions, and secure cloud storage. By preventing unauthorized access, we ensure your sensitive data remains protected against evolving cyber threats.
Check out how Intone can help you streamline your manual business process with Front-End Robotic Process Automation and Back-End Robotic Process Automation