Earlier this year, the US Department of Health and Human Services Office for Civil Rights, HHS OCR for short, delivered two reports to Congress on the state of protected health information security and HIPAA compliance efforts in 2021. It was revealed that between 2017 and 2021, complaints about violations of HIPAA shot up by 39% and large breaches by 58%. The OCR got 609 notifications of events affecting 500 or more individuals that in total reached approximately 37.2 million patients.
It’s safe to say that there’s still much to do – and learn – about the protection and confidential handling of health information to support greater privacy for patients and compliance with HIPAA’s privacy and security rules for covered entities. Especially in the digital space, where healthcare providers are faced with a growing number of threats, from phishing emails that can be used to steal patient data to DDoS attacks that can disrupt a facility’s operations to the point where it can’t provide proper care.
So what is ePHI – and what is not ePHI – under HIPAA? And what best practices are there to safeguard electronic protected health information from being compromised? Read on to find out.
What does ePHI stand for – and what’s the difference between PHI and ePHI?
In short, ePHI stands for “electronic protected health information” and roughly means “PHI in electronic form.” But let’s dive a bit deeper into this.
Under the Security Rule of The Health Insurance Portability and Accountability Act of 1996 (HIPAA), ePHI is defined as “individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form.” Protected health information transmitted orally or in writing is excluded. Meaning that ePHI makes up a subset of protected health information (PHI), also referred to as personal health information, which is protected by the Privacy Rule of the HIPAA law.
As per the HIPAA Privacy Rule, PHI refers to any information, oral or recorded, which has been “created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”
What’s not ePHI? Common ePHI examples and exclusions
Any health information handled electronically by a HIPAA-covered entity qualifies as ePHI if paired with one of the 18 identifiers specified by the HIPAA Act. The include:
- Names (full or last name and initial);
- All geographical identifiers smaller than a state;
- Dates (other than year) directly related to an individual;
- Phone numbers, fax numbers, email addresses;
- Social security numbers, medical record numbers, health insurance beneficiary numbers, account numbers and certificate or license numbers;
- Vehicle identifiers (including serial numbers and license plate numbers) and device identifiers and serial numbers;
- Web uniform resource locators (URLs) and internet protocol (IP) address numbers;
- Biometric identifiers, including finger, retinal and voice prints, as well as face photographic images and any comparable images;
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data.
It’s important to note here that health information without any of these identifiers isn’t considered PHI or ePHI. For example, according to UC Berkeley, a data set of vital signs doesn’t fall into the category of protected health information. However, if the vital signs are assigned to medical record numbers, the entire data set becomes PHI. By extension, if such a data set is emailed to a health insurance plan provider, it qualifies as ePHI.
Protecting ePHI: HIPAA Security Rule safeguards explained
As we detailed in our previous post on PII and PHI, the Health Insurance Portability and Accountability Act, also known as Public Law 104-191, was enacted in 1996. It laid the groundwork for establishing proper standards for the privacy and security of individually identifiable health information held by HIPAA-covered entities.
Policymakers then introduced the HIPAA Privacy Rule in December 2000 and the HIPAA Security Rule in February 2003, to set national standards for the protection of individually identifiable health information and to protect the confidentiality, integrity, and availability of electronic protected health information, respectively.
According to the HHS, the HIPAA Security Rule requires covered entities to:
- ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- identify and protect against reasonably anticipated threats to the security or integrity of the information;
- protect against reasonably anticipated, impermissible uses or disclosures; and ensure compliance by their workforce.
It does so by obliging covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI. Let’s see what these safeguards are and what they mean for ePHI holders.
1. Administrative safeguards
Under the HIPAA, administrative safeguards are defined as “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” That is, the security management protocols and workflows, rather than physical or technical means, that covered entities must have in place.
2. Physical safeguards
The physical safeguards of HIPAA's Security Rule are pertinent to accessing both the physical structures of a covered entity and its electronic equipment, be they buildings, equipment, or information systems. There are two key considerations here. First, covered entities must limit physical access to their facilities without limiting authorized access. Second, rules must be set for the proper use of workstations and devices, as well as for the transfer, removal, disposal, and re-use of electronic media, to ensure protection of ePHI.
3. Technical safeguards
HIPAA technical safeguards are related to the technology as well as the relevant measures that HIPAA-covered entities should implement to protect ePHI and control access to it, including audit controls, user verification, and automatic log-off. They also make it clear that encryption is key in fending off unauthorized use and disclosure and must be applied if, having completed a risk assessment, an entity deems it a suitable safeguard in its risk management of the confidentiality, integrity, and availability of ePHI.
Response checklist for accidental ePHI data breaches
1. Inform your Privacy Officer immediately
First things first, the Privacy Officer should decide whether the incident violates HIPAA regulations or the organization’s internal policies. In the case of the former, it’s the Privacy Officer’s duty to determine whether or not the violation constitutes an impermissible use or disclosure. The American Medical Association advises that an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates that there is a “low probability” that the PHI has been compromised.
2. Investigate and prepare risk assessment
Conduct an investigation to understand the full scope of the incident, determine the risk it poses to patient data and the best way to contain and remediate its impact. According to HIPAA Journal, risk assessment should be carried out to determine the nature of the breach, who accessed PHI and what type of information was involved in the incident, patients who were potentially impacted, whom the information was disclosed to and if there’s a possibility of re-sharing, whether PHI was actually accessed and the extent to which risk was managed.
3. Notify the public of any unsecured PHI breaches
Once it’s confirmed that a breach of PHI occurred, you must send out notifications as per the provisions of the HIPAA Breach Notification Rule. Parties to be notified might include individuals, HHS and the media and should be informed “without unreasonable delay” or in up to 60 calendar days following the date of discovery. If the breach involves the unsecured PHI of more than 500 people, a prominent media outlet serving the state or jurisdiction in which the breach occurred must be alerted along with HHS.
Safeguarding ePHI: 4 best practices for HIPAA-covered entities
1. When in doubt, encrypt
HIPAA classifies encryption under “addressable” implementation specifications,” allowing covered entities to decide whether a given measure is reasonable and appropriate to apply within their security framework. However, “addressable” does not equal “nice to have.” Think about how and how often you transmit ePHI, whether encryption is needed to protect e-HI in transit and what encryption methods would be best to replace risky email attachments and file transfer methods.
Zero-knowledge encryption, for example, makes it impossible even for your service provider to know anything about your encryption key or the data you’re processing or storing on its servers. Besides adding a near-impenetrable layer of security, encryption also makes it less likely for covered entities to experience a notifiable breach of unsecured ePHI. Even if they do, HIPAA Journal points out, they will be able to demonstrate compliance with a recognized security framework.
2. Make use of freely available resources
For starters, HIPAA-covered entities and their associates should check out the US National Institute of Standards and Technology’s (NIST) Guide for Conducting Risk Assessments detailed in SP 800-30, an industry standard for identifying and prioritizing risks to company operations and data assets and developing the right risk responses. As such, it is also widely used and recommended as a HIPAA risk assessment template.
The NIST HIPAA Security Toolkit Application helps organizations of all sizes better understand the requirements of the Security Rule and how to successfully implement them. Small and medium-sized healthcare practices should consult the HIPAA Security Risk Assessment Tool created by the Office of the National Coordinator for Health Information Technology (ONC) and the OCR to foster Security Rule compliance.
3. Level up your access control policies
A cornerstone of the HIPAA Privacy Rule, the minimum necessary rule dictates that PHI should not be used or disclosed if it’s not strictly necessary to fulfill a legitimate purpose or carry out a particular function. Nip potential ePHI breaches in the bud by using role-based permissions and granular controls and only allowing users, internal or external, access to certain types of information assets and systems. Plus, make sure to keep and monitor logs of who accessed – or attempted to access protected health information and when – as well as to perform periodic log and permission audits.
4. Turn employees into you first line of defense
Your ePHI protection policies and procedures are only as effective as the training programs you provide for staff on what they mean for them. Make sure that the syllabus covers the Breach Notification Rule, with a focus on when to report a breach and who to notify, as well as the consequences of HIPAA violations, such as failing to report a security incident, including internal disciplinary actions and civil penalties. Here are some ideas from the US Department of Homeland Security on how to empower employees and build a culture of vigilance within your organization.
Looking for a HIPAA-compliant, encrypted cloud storage and file sharing solution for managing medical records? See what Tresorit can do for you.