**In HIPAA, ePHI stands for electronic Protected Health Information — data related to an individual’s health condition, treatment for the condition, or payment for the treatment which is created, received, stored, or transmitted electronically. To fully understand this definition of electronic Protected Health Information (ePHI), it is also necessary to understand what HIPAA is, who it applies to, and what is considered Protected Health Information.**The Health Insurance Portability and Accountability Act ([HIPAA](https://www.govinfo.gov/content/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf)) was passed in 1996 to reform the health insurance industry. Concerned that the cost of the reforms would be passed onto employers and plan members — and that this would affect tax revenues — Congress added a second title to HIPAA with the objective of neutralizing the costs by combatting fraud and abuse in the healthcare industry, and by simplifying the administration of healthcare transactions.In the context of answering the question what is ePHI, the relevant section of HIPAA Title II is Subpart F. This Subtitle instructs the Secretary for Health and Human Services (HHS) to adopt standards for electronic transactions between health plans and healthcare providers and for the security of information exchanged in these transactions. The Secretary was also instructed to make ‘recommendations with respect to -[the-] privacy of certain health information’.The instructions led to the development of the [HIPAA Administrative Simplification Regulations](https://www.hipaajournal.com/hipaa-administrative-simplification-regulations/). The Administrative Simplification Regulations define who HIPAA applies to, what is considered Protected Health Information, and what is ePHI — ePHI defined as individually identifiable health information transmitted by electronic media or maintained in electronic media. However, there is evidence to suggest that many people do not fully understand these definitions.Who Does HIPAA Apply To?————————Two agencies are responsible for enforcing the Administrative Simplification Regulations. HHS’ Centers for Medicare and Medicaid Services (CMS) enforces the standards for electronic transactions and HHS Office for Civil Rights (OCR) enforces the Privacy, Security, and Breach Notification Rules. OCR maintains an [Enforcement Highlights](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html) webpage, on which there is a running total of the number of privacy complaints received and how they have been resolved.As of May 31, 2024, OCR has received 361,498 privacy complaints and rejected 248,482 of them (68%) because the ‘complaint did not present an eligible case for enforcement’. The most common reason for complaints being rejected is that the organization being complained about is not covered by HIPAA. OCR does not release information about who the ‘non-covered’ organizations being complained about are, but they are likely to include:* Healthcare providers who do not qualify as HIPAA covered entities because they do not conduct transactions for which HHS has adopted standards.* Healthcare providers who do conduct transactions for which HHS has adopted standards, but who do not conduct them electronically.* Pharmacies that exclusively sell or dispense drugs, devices, and/or medical equipment for which no prescription is required.* Insurance companies who provide health benefits secondary to a primary benefit (i.e., auto insurance with MedPay benefits).This is relevant to an explanation of what is ePHI because if an organization is not covered by HIPAA, any individually identifiable health information in its possession is not Protected Health Information under HIPAA — regardless of whether it relates to an individual’s health condition, treatment for the condition, or payment for the treatment. Thereafter, to better understand what does ePHI stand for, it is necessary to understand what Protected Health Information is — and what it is not.What is Protected Health Information?————————————-[Protected Health Information](https://www.hipaajournal.com/what-is-considered-protected-health-information-under-hipaa/) is data relating to an individual’s health, treatment, or payment in any format or medium (i.e., verbal, paper, or electronic). Any information that could identify the individual assumes the same protected status when it is maintained in the same designated record set as Protected Health Information. If identifying information is not maintained in a designated record set, it is not protected by HIPAA (although state privacy laws may apply).To help explain the distinction between when identifying information is protected by HIPAA and when it is not, it is necessary to understand that a designated record set can be a single item of health, treatment, or payment information. Therefore, if an image of a broken bone is maintained in a file, the file is a designated record set. If the patient’s name, address, and telephone number are added to the file, the name, address and telephone number are protected.However, if the patient’s name, address, and telephone number are maintained in a separate file (i.e., for authorized marketing purposes), the information does not have protected status under HIPAA because the file does not contain any health, treatment, or payment information. It is important to be aware of this distinction because, under the [patients’ rights provisions](https://www.hipaajournal.com/hipaa-rights/) of HIPAA, patients only have the right to request access to information maintained in a designated record set.It is also important to be aware of this distinction to avoid any confusion between what is considered ePHI under HIPAA and the so-called 18 HIPAA identifiers that have to be removed from a designated record set under the safe harbor method of de-identification ([§164.514(b)](https://www.ecfr.gov/current/title-45/part-164/section-164.514#p-164.514(b)(2))). HIPAA covered entities and healthcare providers who still use the 18 HIPAA identifiers as a guide on how to de-identify Protected Health Information should seek professional compliance advice.What is ePHI vs PHI?——————–ePHI is a subset of PHI when it is created, received, stored, or transmitted electronically by a HIPAA covered entity or business associate — unless an exemption applies. For example, electronic transmissions of PHI are exempted from the definition of what is ePHI when they are conducted by paper-to-paper fax or via a PSTN telephone service if the information being transmitted did not exist in electric form immediately before the transmission.Because ePHI is a subset of PHI, ePHI is subject to the HIPAA Privacy Rule with regards to when it can be used and disclosed, when the [minimum necessary standard](https://www.hipaajournal.com/ahima-hipaa-minimum-necessary-standard-3481/) applies, and when a Business Associate Agreement is required before ePHI can be disclosed to (or via) a third party service provider. The HIPAA Privacy Rule also applies to when consent, attestation, or authorization is required, and when an individual can request privacy protections.The difference between PHI and ePHI is that the confidentiality, integrity, and availability of ePHI is also subject to the standards and implementation specifications of the HIPAA Security Rule. HIPAA covered entities and business associates that create, receive, maintain, or transmit ePHI must implement measures to comply with the applicable Administrative, Physical, and Technical safeguards, and provide [security awareness training](https://www.hipaajournal.com/hipaa-training-requirements/) to all members of the workforce.With regards to mobile health apps, determining whether data captured by an app is ePHI is case specific. If, for example, a healthcare provider contracts an app developer for patient management services, and information is transmitted by the app to a provider-maintained EHR, the data is considered ePHI under HIPAA. However, non-contracted app developers do not qualify as business associates, and the information created, stored, or transmitted by the app is not considered ePHI under HIPAA.What is ePHI? Take the Test—————————Following are a selection of frequently asked quiz questions relating to ePHI. Where necessary we have provided references or explanations that complement the information provided above. If you are uncertain about any of the information provided above or below, it is recommended you seek independent [HIPAA compliance advice](https://www.hipaajournal.com/hipaa-compliance-checklist/).### Which of the two rules within Title II of HIPAA applies to ePHI?There are no rules within Title II of HIPAA that apply to ePHI. Title II of HIPAA instructed the Secretary for Health and Human Services to adopt standards for electronic transactions between health plans and healthcare providers and for the security of information exchanged in these transactions.The instructions led to the development of the HIPAA Administrative Simplification Regulations which include the [HIPAA Privacy Rule](https://www.hipaajournal.com/hipaa-privacy-rule/), the [HIPAA Security Rule](https://www.hipaajournal.com/hipaa-security-rule/), and the [HIPAA Breach Notification Rule](https://www.hipaajournal.com/hipaa-breach-notification-requirements/). All three rules apply to ePHI:* The HIPAA Privacy Rule governs uses and disclosures of all PHI (including ePHI).* The HIPAA Security Rule stipulates safeguards to protect ePHI from unauthorized access.* The HIPAA Breach Notification Rule applies when unsecured ePHI is compromised or breached.### Which standard is for safeguarding PHI specifically in electronic form (ePHI)?There is no single standard that safeguards PHI specifically in electronic form (ePHI). Covered entities and business associates are required to implement all applicable Security Rule standards to protect against reasonably anticipated threats to ePHI and impermissible disclosures of ePHI — applying, where necessary, a [flexibility of approach](https://www.ecfr.gov/current/title-45/part-164#p-164.306(b)).### Is it ok to text patients their ePHI so long as you are using a company purchased mobile device?It is ok to text patients their ePHI so long as the company mobile device uses a secure, [HIPAA compliant messaging app](https://www.hipaajournal.com/hipaa-compliant-messaging-app/) to text patients, a Business Associate Agreement is in place with the app vendor, and patients have given their consent to be contacted by text message. In some cases, a patient can request or authorize unsecured text messages, or consent can be assumed if a patient initiates contact by text.However, in such cases, it is best practice to advise the patient of the risks and suggest a secure alternative. If the patient still wants to receive text messages containing ePHI via an unsecure channel of communication, document the warning and the patient’s request to receive text messages.### Which of the following is not electronic PHI?* A list of patients and their health conditions maintained on a PC by a physical therapist that does not qualify as a HIPAA covered entity.* An online database of customer names and disabilities maintained by a pharmacy that exclusively sells off-prescription devices and equipment.* An electronic record maintained by State Farm of plan members who have claimed the cost of ER visits and inpatient treatments following an auto accident.* Details of an individual’s name, email address, and heart rate maintained by Fitbit or Garmin on a cloud server.* A medical center’s online spreadsheet containing a list of patient names and ZIP codes that will be used to plan a marketing campaign.* A paper record of a covered entity dentist’s appointment schedule that lists patients’ names, appointment times, and telephone numbers.* None of the above is electronic PHI. This is the correct answer because the first four entities are not covered by HIPAA, the spreadsheet does not contain ePHI, and the paper record is not electronic.### How does the HIPAA Security Rule view sharing of ePHI with patients?The HIPAA Security Rule does not determine how ePHI is shared with patients. All required and permissible uses and disclosures of ePHI are governed by the HIPAA Privacy Rule.### Which of these is a security risk for electronic Protected Health Information (ePHI)?* Failing to conduct a risk assessment?* Failing to provide adequate security awareness training?* Not terminating access for workforce members when they leave?* Failing to patch software vulnerabilities and apply software updates?* Allowing workforce members to use weak passwords and/or share passwords?* Failing to control physical access to servers and/or devices on which ePHI is stored?* Not configuring devices with automatic logoff times which can help to protect ePHI by terminating user sessions after a period of inactivity?* Failing to encrypt ePHI at rest or in transit (if not implementing an equally effective alternative)?* All of the above? (This is the correct answer)### What would be a physical safeguard that might be implemented to help protect ePHI?A physical safeguard that might be implemented to help protect ePHI is ensuring procedures are in place to completely remove ePHI from any devices and media before they are disposed of or re-used. The National Institute of Standards and Technology (NIST) has produced Guidelines for Media Sanitization to help organizations implement this safeguard ([NIST SP 800-88 r1](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-88r1.pdf)).### Which rule, applicable to what is ePHI, was released in 2013?The 2013 rule applicable to what is ePHI was the HIPAA Omnibus Rule. Among a number of changes to the Privacy Rule, the HIPAA Omnibus Rule made business associates directly liable for HIPAA compliance and breaches of ePHI attributable to non-compliance. It also gave patients more rights over how their information was used and disclosed and increased their rights of access to ePHI.The post [What is ePHI?](https://www.hipaajournal.com/ephi/) appeared first on [The HIPAA Journal](https://www.hipaajournal.com).
Related Tags:
NAICS: 335 – Electrical Equipment
Appliance
Component Manufacturing
NAICS: 923 – Administration Of Human Resource Programs
NAICS: 62 – Health Care And Social Assistance
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 52 – Finance And Insurance
NAICS: 92 – Public Administration
NAICS: 922 – Justice
Public Order
Safety Activities
NAICS: 33 – Manufacturing – Metal
Electronics And Other
NAICS: 522 – Credit Intermediation And Related Activities
Associated Indicators: