Electronic Protected Health Information (ePHI)

Written By Jeremy Pickett

Definition

Electronic Protected Health Information (ePHI) refers to any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or media.

PHI is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This includes a wide range of health information, along with common identifiers like name, address, birth date, and Social Security Number.

Examples of ePHI

ePHI can include, but is not limited to:

  1. Patient names, addresses, birth dates, and Social Security numbers

  2. Medical record numbers

  3. Health plan beneficiary numbers

  4. Account numbers

  5. Digital images of patients (X-rays, MRIs, etc.)

  6. Lab results

  7. Medication information

  8. Diagnosis information

  9. Treatment information

  10. Appointment schedules

  11. Billing information and records

  12. Email exchanges between doctors and patients that contain health information

Where ePHI is Commonly Found in HIPAA-Compliant Businesses

ePHI, or electronic Protected Health Information, is sensitive data subject to HIPAA regulations and can be found in various areas within covered entities and business associates. It might be stored in electronic health records (EHRs), patient management systems, billing and claims databases, email communications, or even on mobile devices used by healthcare professionals. Common places include:

Electronic Health Record (EHR) systems

  1. Practice Management Systems

  2. Billing systems

  3. Email servers and individual email accounts

  4. Mobile devices (smartphones, tablets) used for work purposes

  5. Laptops and desktop computers

  6. Network servers and shared drives

  7. Cloud storage services

  8. Backup systems and disaster recovery sites

  9. Medical devices that store patient data

  10. Wearable devices that collect health data

  11. Telemedicine platforms

  12. Patient portals

  13. Health Information Exchanges (HIEs)

  14. Databases used for research purposes

Steps to Take if ePHI is Found to be Out of Compliance with HIPAA

If ePHI is found to be out of compliance with HIPAA, the following steps should be taken:

Immediate Containment:

  • Immediately secure the ePHI to prevent further unauthorized access or disclosure.

  • Example: If ePHI is found on an unsecured server, immediately restrict access to that server.

Incident Documentation:

  • Document the nature of the non-compliance, including what information was involved, where it was found, and how it was discovered.

  • Example: Create a detailed incident report noting that patient billing information was found on an unencrypted laptop, discovered during a routine IT audit.

Risk Assessment:

  • Conduct a risk assessment to determine the potential impact of the non-compliance.

  • Example: Assess how many patient records were potentially exposed, for how long, and what specific types of information were involved.

Notification:

  • If the non-compliance constitutes a breach under HIPAA rules, notify affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media.

  • Example: Send out breach notification letters to all affected patients within 60 days of discovery, explaining what happened and what they can do to protect themselves.

Corrective Action:

  • Implement corrective measures to address the root cause of the non-compliance.

  • Example: If ePHI was found on unencrypted devices, implement a policy requiring encryption on all devices that may contain ePHI and provide the necessary tools and training.

Policy and Procedure Update:

  • Review and update relevant policies and procedures to prevent similar incidents in the future.

  • Example: Update the organization's BYOD policy to include stricter controls on personal devices used to access ePHI.

Training:

  • Conduct additional training for staff on HIPAA requirements and the proper handling of ePHI.

  • Example: Organize mandatory refresher training sessions on HIPAA compliance and data security best practices for all employees.

Ongoing Monitoring:

  • Implement or enhance monitoring processes to detect similar issues in the future.

  • Example: Set up automated alerts for any attempts to save ePHI to unencrypted storage devices.

Documentation:

  • Maintain thorough documentation of all steps taken in response to the non-compliance.

  • Example: Keep a detailed log of all actions taken, from initial discovery through resolution, including dates, responsible parties, and outcomes.

Business Associate Notification:

  • If the non-compliance involves or affects any business associates, notify them as required by your Business Associate Agreement.

  • Example: If the non-compliant ePHI was shared with a billing service, notify them of the issue and any necessary actions they need to take.

Remember, the specific steps and their order may vary depending on the nature and severity of the non-compliance. Always consult with legal counsel and privacy officers when dealing with HIPAA compliance issues.

Jeremy Pickett
Previous

Electronic Health Record (EHR) system