If you are associated with an organization that is subject to HIPAA (Health Insurance Portability and Accountability Act), then chances are that you’ve often come across the terms PHI and ePHI. But what exactly are they, and is there a difference between them? And how do you define what should be considered PHI/ePHI? These questions sound easy but can be difficult to answer.
What is PHI?
As defined by HIPAA, PHI (Protected Health Information) is considered to be “any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity.” HIPAA-covered entities usually include healthcare providers, insurance providers, or business associates of a HIPAA-covered entity.
Moreover, any sort of data or information related to your health is considered PHI. These can include test results, medical history, and personal information like your name or social security number. These personal identifiers must be kept confidential according to HIPAA Privacy Rules.
There are 18 specific patient identifiers. They are
- Names
- Dates, except year
- Telephone numbers
- Geographic data
- Fax numbers
- Social Security numbers
- Email addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers
- Web URLs
- Device identifiers and serial #
- Internet protocol addresses
- Full face photos and comparable images
- Biometric identifiers (fingerprint, retinal scan)
- Any unique identifying number or code
What is ePHI?
ePHI, which stands for Electronic Protected Health Information, is PHI that is stored, created, or transmitted electronically. ePHI was first defined in the HIPAA Security Rule, and organizations were instructed to implement novel safeguards to protect the data and ensure its sanctity and integrity.
ePHI can be found in a variety of digital forms, such as systems that operate with a cloud database, patient data shared via email, or patient data stored on a hard disk, computer, or flash disk. ePHI needs constantly updated protocols in order to be safeguarded from cyberattackers and breaches.
Exceptions
There is some information that does not fall under PHI or ePHI but is equally important. To understand what falls under PHI/ePHI, use the following guidelines:
- Who recorded the information? Self-recorded information on smart wearables or apps typically does not fall under HIPAA unless connected to a healthcare provider or insurance plan.
- Is the data part of your educational or employment records? These are not covered under HIPAA. Your employer could keep a record of your allergies, but they will not be recognized as PHI.
- Does the information contain personal identifiers? If not, then it will not be recognized at PHI or ePHI. Such data is usually used for scenarios such as population health research.
Why Choose Intone to Protect Your ePHI?
Healthcare data breaches are causing massive damage in the form of financial losses and loss of key personal and healthcare information. PHI and ePHI are being relentlessly targeted by cyberattackers. A study conducted by HIPAA found that in the year 2019, the healthcare records of 41.2 million patients were exposed, stolen, or illegally disclosed by 505 healthcare data breaches. These glaring numbers highlight the need to prevent ePHI data breaches that can tarnish a company’s reputation and can result in government fines or penalties. Intone can help protect your ePHI with exceptional cyber risks strategies and execution capabilities. We offer:
- Services such as cybersecurity strategy, penetration testing, internal & external vulnerability assessment, web application security assessment, secure source code review, and many more.
- SSL encryption and AES 256 bit encryption to ensure that your sensitive data is safeguarded against malicious attempts at modification and manipulation.
- State-of-the-art infrastructure in terms of cybersecurity, with secure architecture, firewall, and intrusion detection/prevention system designs to boost your security against cyber breaches and threats.
- An extensive range of regulatory, data privacy, and Sarbanes Oxley compliance solutions and industry-specific compliance solutions.
- State-of-the-art cloud storage system to protect your data.
- Prevention of unauthorized access is amongst the most common methods of data theft.
Sources:
- https://formdr.com/blog/hipaa-compliance-ephi-phi/
- https://www.hipaajournal.com/december-2019-healthcare-data-breach-report/
- https://www.accountablehq.com/post/ephi
- https://www.schellman.com/blog/what-is-considered-phi-or-ephi
Check out how Intone can help you streamline your manual business process with Front-End Robotic Process Automation and Back-End Robotic Process Automation
Image by Gerd Altmann from Pixabay