ePHI stands for electronic protected health information. Electronic protected health information is protected under the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA.
ePHI security is governed by the HIPAA Security Rule. With the rise of telehealth, covered entities need to understand the requirements for safely transmitting, storing, and using ePHI to be compliant with the Security Rule and to protect a patient’s privacy.
What is ePHI?
First, some background. HIPAA’s regulations refer to three acronyms: IIHI, PHI, and ePHI. Understanding the difference between these terms can help you design a layered security system that optimizes your organization’s IT resources while providing sufficient protections against data breaches.
IIH stands for individually identifiable health information. IIHI includes not only a person’s medical information but also their demographics and details such as a patient’s past, present, or future medical condition; healthcare treatment or services provided to the patient; or past, present, or future payment for the provision of healthcare to a patient.
PHI stands for protected health information. PHI is protected under the HIPAA Privacy Rule. It differs from IIHA in that all PHI is IIHA, but not all IIHA is PHI. “This is because HIPAA does not protect all individually identifiable health information. The IIHI has to be transmitted or maintained in some form to be protected (PHI),” explained HIPAA Trek.
HIPAA defines PHI — and ePHI, which is essentially the same information in digital form — using a list of 18 identifiers. These identifiers help organizations understand exactly what makes a piece of information “identifiable” and subject to regulation.
The 18 ePHI and PHI identifiers are:
- Names (of patients, relatives, or employers)
- Social security numbers
- Device identifiers and serial numbers
- All geographic subdivisions smaller than a State
- Medical record numbers
- Web Universal Resource Locators (URLs)
- All elements of dates (except year) including birth date, admission date, discharge date, date of death; and all ages over 89
- Health plan beneficiary numbers
- Internet Protocol (IP) address numbers
- Telephone numbers
- Account numbers
- Biometric identifiers, including finger and voiceprints
- Fax numbers
- Certificate/license numbers
- Full face photographic images and any comparable images
- Electronic mail addresses
- Vehicle identifiers and serial numbers, including license plate numbers
- Any other unique identifying number, characteristic, or code
[Read more: PHI Compliance: What It Is and How To Achieve It]
HIPAA requirements for handling ePHI
Put briefly, HIPAA requires covered entities to ensure the confidentiality, integrity, and availability of ePHI. But, the Department of Health and Human Services designed the Security Rule to be flexible enough for health organizations to be able to take advantage of cloud platforms and new technologies.
“A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care,” wrote the HHS. “Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI.”
As such, protecting ePHI begins with a risk assessment. This risk assessment investigates each covered entity's resources and work environment: including the size, complexity, and capabilities of the covered entity. The risk assessment outlines the covered entity’s technical infrastructure, including any hardware and software that is used to access and transmit ePHI. It evaluates the potential risks to ePHI and outlines the cost of potential additional security measures needed.
From this risk assessment, each covered organization can design a tailored cybersecurity plan that protects the integrity of ePHI.
How to protect ePHI
One useful resource for implementing the HIPAA Security Rule is the NIST Cybersecurity Framework. NIST is a non-regulatory agency that works with many commercial sectors and government agencies to create policies and standards that will benefit technology development. The core of the NIST framework consists of five functions: Identify, Protect, Detect, Respond, Recover.
This helpful resource, provided by HHS in partnership with NIST, is a tool that can help covered entities map the HIPAA Security Rule onto the NIST Framework. This enables IT teams to identify which parts of the NIST Framework the organization is already meeting, and where it can incorporate new practices into its risk management program.
“This mapping document also allows organizations to communicate activities and outcomes internally and externally regarding their cybersecurity program by utilizing the Cybersecurity Framework as a common language,” wrote the HHS.
While the NIST Framework does not guarantee total HIPAA compliance, it’s a very comprehensive starting point for protecting ePHI. The NIST Security Framework is more granular than the HIPAA Security rule; as a result, mapping the administrative, physical, and technical safeguard standards to the Framework can help the covered entity identify vulnerabilities and improve compliance.
This is one approach to meeting ePHI security needs. Learn more about HIPAA compliance on our blog. And, for help securing your ePHI, set up a demo at the link below.