" covered entity Archives - LuxSci

Posts Tagged ‘covered entity’

What exactly is ePHI? Who has to worry about it? Where can it be safely located?

Wednesday, January 15th, 2025

There is often a great deal of confusion and misinformation about what constitutes ePHI (electronic protected health information) and how to protect it under HIPAA requirements. Even once you understand ePHI and how it applies to you, the next question becomes, where is ePHI permitted? What is secure and what is not?

In this post, we will answer the “what is ePHI” question in general and the “where can I put it” question regarding HIPAA compliant email, email hosting, and secure form processing with LuxSci.

What constitutes electronic Protected Health Information?

ePHI is individually identifiable protected health information that is sent or stored electronically. Protected health information refers specifically to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition
  2. The past, present, or future provisioning of health care to an individual
  3. The past, present, or future payment-related information for the provisioning of health care to an individual

Individually identifiable” means information that can be somehow linked to a specific individual (even if this is very indirect). There are 18 types of identifiers for an individual (listed below). Any one of these identifiers, combined with “protected health information” (e.g., an appointment with a particular doctor), would constitute ePHI.

  • Name
  • Address (all geographic subdivisions smaller than a state, including street address, city, county, zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voiceprints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

An email message sent to an individual that says “your appointment with Dr. Shaw will be at 4pm on Friday” will be ePHI because the appointment with Dr. Shaw is “protected health information,” and the email address itself makes it identifiable. The fact that it is email makes it “electronic” (as opposed to a letter mailed the old-fashioned way).

ePHI Examples

The definition of ePHI seems very straightforward, but confusion arises when you start examining particular cases. Here are some examples:

I’m sending an email to someone whose email address is clearly not identifiable, e.g., “kjhw45376@gmail.com”…. therefore the message is not ePHI, right?

The definition of ePHI states that all email addresses, no matter what, are identifiable. Beyond that, at least people at gmail (in this case) will be able to match back the address to the actual person and thus identify the individual.

If it’s possible for anyone to identify the individual somehow, though some database or technique or association (even if you could never do it yourself … someone could), then the information is identifiable.

I am sending a newsletter with health care tips to a list of people that does not seem to be ePHI, right?

Here is a good example of a HIPAA marketing case where the answer is “it depends.”  Is the information in the newsletter about the person’s past/present/future medical care or billing? Maybe, if this is a letter of tips on how to best recover from knee surgery, for example. If you are a doctor’s office and perform surgeries and send out this letter, that could be construed as ePHI. If, however, you are a general information web site where people can receive information about many different topics and you have no connection to the subscriber’s particular medical care, then this is not ePHI.

Who needs to worry about ePHI?

This has been a moving target over the years. It is especially important to know if you intend to do HIPAA compliant email marketing.

Currently, you have to protect all ePHI that you generate or come into contact (i.e., are given from patients) with per the HIPAA Security Rule if:

  1. You are a HIPAA Covered Entity:
    1. Care: You provide services or supplies related to an individual’s physical or mental health care. This includes (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure concerning the physical or mental condition or functional status of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or another item following a prescription.
    2. Provider: A provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the ordinary course of business.
    3. Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value added” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.
    4. Plan: With certain exceptions, an individual or group plan that provides or pays the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)). The law specifically includes many organizations and government programs as health plans.
  2. You are the Business Associate of a HIPAA Covered Entity. E.g., you perform services for such an entity and [may] come into contact with ePHI as part of your business with them.
  3. You are a Business Associate of a Business Associate. If you do business with any company that is itself a HIPAA Business Associate and, as a result, may come into contact with ePHI, then you must also be a Business Associate and protect that PHI.

The HIPAA Omnibus rule defines this transitive chain of possession such that all businesses that may come into contact with ePHI are responsible for that information’s privacy and security. This includes many companies that previously had no idea they had to be HIPAA-compliant and technically excludes them from doing business with the medical community until they are.

Who does not have to protect ePHI?

Anyone who is not a “Covered Entity” or “Business Associate” per HIPAA does not have to worry about ePHI … at least in terms of violating HIPAA. Everyone should be sensitive about protecting this information, anyway.

The patient is the most notable example of someone who does not have to abide by HIPAA and protect ePHI. The patient (in most cases) is an individual and does not fall under the umbrella of HIPAA. The patient can send whatever sensitive, private, identifiable, protected health information (about themselves) to anyone (their doctor included) without encryption, security, or any other trappings to ensure privacy. While such is not a good idea, no one will be “in trouble with HIPAA” for that action.

So, what if your patient sent you an insecure email from @gmail.com with their complete medical history?

  1. You did not violate HIPAA by receiving it.
  2. They did not violate HIPAA by sending it.
  3. As this is ePHI and HIPAA covers you, you are now responsible for protecting this information with all the security and privacy due per HIPAA.

This means that from the moment that patient’s email hits your account, you must take all reasonable measures to safeguard it. This could mean:

  1. Immediately delete it if it was sent to a non-compliant account of yours. You might want to report this to HHS that ePHI was present in your insecure account and why. This is a reporting requirement and not necessarily a breach.
  2. Ensure that patients only know your HIPAA-compliant email address, so any messages they send to you are protected as soon as they arrive.
  3. Providing patients with an easy online mechanism to send you secure, HIPAA-compliant messages so that they are less likely to use their own insecure email systems.

Where can I put ePHI when sending an email?

When sending an email, you automatically include “identifiable” information: the recipient’s email address. Where can you put the “protected health information” so that the to-be-encrypted email is adequately secured and compliant? There are generally (and specifically with LuxSci and most email providers) only two places:

  1. The message body
  2. Any attachments

The content in the email message headers, including the Subject line, will not be encrypted (it will during transport only if TLS is used) and can be logged by various servers on the internet. Many of those logs are not likely to be HIPAA-compliant. Protected health information should thus never be present in the subject of email messages — always put it in the body.*

*LuxSci has a feature in its secure email where you can hide email subjects until the recipient actually comes to the LuxSci portal and opens the message.  Until then the subject they see is just something like “You have received a secure message”.  This feature allows medical information to be in the subject and protects you from the risk of such information being accidentally breached by being included in the subject when the subject could be delivered insecurely.

Where else can I put ePHI with LuxSci?

HIPAA-compliant LuxSci customers can also store ePHI:

  1. In any App (e.g., calendar, address book, task list, blog, file storage, password storage, etc.)
  2. In any hosted Database.
  3. In Widgets (except custom ones that send data to 3rd parties).
  4. In files on dedicated web/file servers.
  5. In secue video sessions
  6. In secure text messages

* On dedicated servers, the files do not have to be encrypted on disk, but these files should not be publicly accessible over the web, and any website should be designed with HIPAA compliance in mind.

Still have some questions? Contact us today.

Covered Entities and HIPAA Law

Tuesday, November 24th, 2020

HIPAA law is important legislation that outlines how organizations and individuals (which it refers to as covered entities) must protect their protected health information (PHI). While HIPAA is actually much broader and includes rules for things like insurance claims and payments, our focus is on its provisions for safeguarding PHI.

Covered Entity

The Two Key Parties: Covered Entities and Business Associates

If HIPAA law is designed to protect patient information, then it’s important to understand which parties must abide by it. Those that don’t meet the legal definitions of covered entities or business associates don’t have to comply with the HIPAA Rules

Covered Entities

The legislation uses the term covered entities to refer to individuals or organizations that collect, store, transmit or process PHI.

Covered entities fall into three categories:

  • Health care providers – These include hospitals, doctors, clinics, pharmacies, nursing homes, psychologists and similar types of providers.
  • Health plans – Health insurance companies, company health plans, HMOs and Government-paid health care plans such as Medicare are all considered health plans.
  • Health care clearinghouses – These are entities that either process or facilitate the processing of health information that they receive from other entities. Health care clearinghouses can be public or private, and can include things like billing services and repricing companies.

Individuals or entities that meet the definition of covered entities are required to follow the HIPAA legislation’s stipulations. These include rules for protecting the security and privacy of health information, while also providing individuals with certain rights regarding this information.

Covered entities can’t do everything by themselves, and they frequently engage in the services of others to conduct their work. After all, if you ran a covered entity such as a hospital and you needed to send secure email to patients, would you set up your own infrastructure for it?

No, of course not. You would find a provider to do it for you. But how do you make sure the email provider also protects the data inline with your organization’s HIPAA responsibilities?

Business Associates

Thankfully, the legislators did make provisions for this. The providers that work alongside covered entities are referred to as business associates. The HIPAA laws set out how these two entities can share PHI to make sure that it is safeguarded.

Business associates can include a wide range of individuals and organizations, including things like web hosts, billing companies, consultants, legal firms, accountants, and many more. Any organization that processes PHI on behalf of a covered entity is considered a business associate if it does so according to the rules that the HIPAA laws lay out.

But what ensures that the business associate will protect the data appropriately?

The Business Associate Agreement

The relationship between covered entities and business associates is brought together by the business associate agreement. This is a contract that sets out how each party will protect the PHI, what each side’s obligations are, and where the responsibilities lie. These agreements help to protect both covered entities and the data of individuals, because the legal weight behind them motivates business associates to take their responsibilities seriously.

Violation Costs for Covered Entities and Business Associates

HIPAA laws can’t be looked at as just some dull, bureaucratic box-checking. The penalties are too high for such an unconcerned approach. Both covered entities and business associates need to be aware that they face penalties of between $100 and $50,000 per violation, depending on the severity of the offense.

Considering the number of individual records most companies process, this can very quickly add up to the $1.5 million yearly maximum penalty for each violation category.

If you are a covered entity, you need trusted Business Associates

If your organization is a covered entity, it can be difficult to find a business associate that meets its needs for secure email, web hosting ,and related services. Few providers have the right combination of protection measures, verified HIPAA compliance, functionality, and effectiveness that your business requires.

LuxSci’s services are specifically tailored to combine all of these traits. They are designed to be easy to use, efficient, secure, and to comply with the legislation. Our company’s focus at this junction makes LuxSci the perfect provider for healthcare organizations and those that process ePHI. Call us if you want to learn more about how our solutions can work for your company.

HIPAA 2010: HITECH Impact on Email and Web Outsourcing

Wednesday, January 20th, 2010

Surprise!  HIPAA has changed, gotten bigger, and grown teeth.

The American Recovery and Reinvestment Act (ARRA, or The Obama Stimulus Bill), signed into law in February 2009, includes new, more comprehensive provisions for HIPAA. These provisions are in a section of the bill known as the Health Information Technology for Economic and Clinical Health Act (HITECH).

For organizations that are already required to abide by HIPAA (i.e. the “Covered Entities” of HIPAA), HITECH adds the following requirements:

Read the rest of this post »