be Smart.
be Secure.
Phone: 800-441-6612

What exactly is ePHI? Who has to worry about it? Where can it be safely located?

There is often a great deal of confusion and misinformation about what, exactly, constitutes ePHI (electronic protected health information) which must be protected due to HIPAA requirements.  Even once you have a grasp of ePHI and how it applies to you, the next question becomes … where can I put ePHI and where not?  What is secure and what is not?

We will answer the “what is ePHI” question in general, and the “where can I put it” question in the context of web and email hosting, and SecureForm processing at LuxSci.

What constitutes ePHI?

ePHI is “individually identifiable” “protected health information” sent or stored electronically.  Protected health information refer specifically to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition
  2. The past, present, or future provisioning of health care to an individual
  3. The past, present, or future payment-related information for the provisioning of health care to an individual

“Individually identifiable” means information that can be somehow linked back to a specific individual (even if this is very indirect).  There are 18 types of identifiers for an individual (listed below).  Any of one these, combined with some kind of “protected health information” (e.g. an appointment with a particular doctor) would constitute ePHI.

  • Name
  • Address (all geographic subdivisions smaller than state, including street address, city, county, zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voice prints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

As you can see, it is pretty easy to have ePHI!

An email message sent to an individual that says “your appointment with Dr. Shaw will be at 4pm on Friday” will be ePHI because the appointment is “protected health information”, the email address itself makes it identifiable, and the fact that it is email makes it “electronic” (as opposed to a letter mailed the old fashioned way).

Where is the ambiguity?  Seems pretty straight forward!

The definition of ePHI does seem very straight forward, but when you start examining particular cases, confusion usually arises.  Here are some examples:

I’m sending an email to someone whose email address is clearly not identifiable, e.g. “”…. therefore the message is not ePHI, right?

The definition of ePHI states that all email addresses, no matter what, are identifiable. Beyond that, at least people at AOL (in this case) will be able to match back the address to the actual person and thus identify the individual.

If it’s possible for anyone to identify the individual somehow, though some database or technique or association (even if you could never do it yourself … someone could), then the information is identifiable.

I am sending a newsletter of health care tips to a list of people, that does not seem to be ePHI, right?

Here is a good example of a case where the answer is “it depends”.  Is the information in the newsletter about the person’s past/present/future medical care or billing?  Maybe, if this is a letter of tips on how to best recover from surgery, for example.  If you are a doctor’s office and perform surgeries and send out this letter, that could be construed as ePHI.  If, however, you are a general information web site where people can receive information about many different topics and you have no connection to the subscriber’s particular medical care, then this is not ePHI.

Who needs to worry about ePHI?

This has been a moving target over the years.  Currently, you have to protect all ePHI that you generate or come into contact with per the HIPAA Security Rule if:

  1. You are a HIPAA Covered Entity:
    1. Care: You provide services or supplies related to the physical or mental health care of an individual.  This includes:  (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
    2. Provider:  A provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
    3. Clearinghouse:  A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value added” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.
    4. Plan: With certain exceptions, an individual or group plan that provides or pays the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)). The law specifically includes many types of organizations and government programs as health plans.
  2. You are the Business Associate of a HIPAA Covered Entity.  E.g. you perform services for such an entity and [may] come into contact with ePHI as part of your business with them.
  3. You are a Business Associate of a Business Associate.  If you do business with any company that is itself a HIPAA Business Associate, and as a result may come into contact with ePHI, then you yourself must also be a Business Associate and protect that PHI.

The HIPAA Ombibus rule defines this transitive chain of possession such that all businesses that may come into contact with ePHI are made responsible for the privacy and security of that information.  This includes many companies that previously had no idea they had to be HIPAA compliant and technically excludes them from doing business with the medical community in any way until they are.

Who does not have to protect ePHI?

Anyone who is not a “Covered Entity” or “Business Associate” per HIPAA does not have to worry about ePHI … at least in terms of violating HIPAA.  Everyone should be sensitive about protecting this information, anyway.

The most notable example of someone that does not have to abide by HIPAA and protect ePHI is the patient.  The patient (in most cases) is an individual and does not fall under the umbrella of HIPAA.  The patient can send whatever sensitive, private, identifiable, protected health information (about him/herself) to anyone (their doctor included), without encryption, security, or any other trappings to ensure privacy. While such is not a good idea, no one will be “in trouble with HIPAA” for that action.

So, what if your patient does sent you an insecure email from with their complete medical history in it?

  1. You did not violate HIPAA by receiving it.
  2. They did not violate HIPAA by sending it.
  3. As this is ePHI and you are covered by HIPAA, you are now responsible for protecting this information going forward with all the security and privacy due per HIPAA.

This means that from the moment that patient’s email hits your account, you must take all reasonable measures to safeguard it.  This could mean:

  1. Immediately deleting it if it was sent to a non-compliant account of yours.  You might want to report this to HHS that ePHI was present in your insecure account and why.  This is a reporting requirement and not necessarily a breach.
  2. Ensuring that patients only know your HIPAA-compliant email address … so any messages that they send to you are protected as soon as they arrive.
  3. Providing patients with an easy online mechanism to send you secure, HIPAA-compliant messages, so that they are less likely to use their own insecure email systems.  (e.g. like LuxSci SecureSend).

Where can I put ePHI when sending an email?

When sending an email, you automatically are including “identifiable” information: the recipient’s email address.  Where can you put the “protected health information” so that the to-be-encrypted email is properly secured and compliant? There are generally (and specifically with LuxSci) only 2 places:

  1. The message body
  2. Any attachments

The content in the email message headers, including the Subject line, will not be encrypted (it will during transport only if TLS is used) and will be logged by various servers on the Internet … and many of those logs are not likely to be HIPAA compliant.  Protected health information should thus never be present in the subject of email messages — always put it in the body.

Where else can I put ePHI at LuxSci?

HIPAA-compliant LuxSci customers can also store ePHI:

  1. In any WebAide (e.g. calendar, address book, task list, blog, documents storage, password storage, etc.)
  2. In any hosted MySQL Database.
  3. In Widgets (except custom ones that send data to 3rd parties).
  4. In encrypted files on shared web/file servers.*
  5. In any file on dedicated web/file servers.**

* File names should not contain PHI; information on how to decrypt the files should not be readable in similar files; these files should not be publicly accessible over the web, and any web site should be designed with HIPAA compliance in mind.

** On dedicated servers, the files do not have to be encrypted on disk, but these files should not be publicly accessible over the web, and any web site should be designed with HIPAA compliance in mind.

See our HIPAA Account Restrictions Agreement for more details.

Leave a Comment

You must be logged in to post a comment.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries