What exactly is ePHI? Who has to worry about it? Where can it be safely located?

September 15th, 2017

There is often a great deal of confusion and misinformation about what constitutes ePHI (electronic protected health information) and how to protect it under HIPAA requirements. Even once you understand ePHI and how it applies to you, the next question becomes, where is ePHI permitted? What is secure and what is not?

We will answer the “what is ePHI” question in general and the “where can I put it” question regarding web and email hosting and Secure Form processing at LuxSci.

What constitutes electronic Protected Health Information?

ePHI is “individually identifiable” “protected health information” that is sent or stored electronically. Protected health information refers specifically to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition
  2. The past, present, or future provisioning of health care to an individual
  3. The past, present, or future payment-related information for the provisioning of health care to an individual

Individually identifiable” means information that can be somehow linked to a specific individual (even if this is very indirect). There are 18 types of identifiers for an individual (listed below). Any one of these identifiers, combined with “protected health information” (e.g., an appointment with a particular doctor), would constitute ePHI.

  • Name
  • Address (all geographic subdivisions smaller than a state, including street address, city, county, zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voiceprints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

As you can see, it is pretty easy to have ePHI!

An email message sent to an individual that says “your appointment with Dr. Shaw will be at 4pm on Friday” will be ePHI because the appointment with Dr. Shaw is “protected health information,” and the email address itself makes it identifiable. The fact that it is email makes it “electronic” (as opposed to a letter mailed the old-fashioned way).

ePHI Examples

The definition of ePHI seems very straightforward, but confusion arises when you start examining particular cases. Here are some examples:

I’m sending an email to someone whose email address is clearly not identifiable, e.g., “kjhw45376@aol.com”…. therefore the message is not ePHI, right?

The definition of ePHI states that all email addresses, no matter what, are identifiable. Beyond that, at least people at AOL (in this case) will be able to match back the address to the actual person and thus identify the individual.

If it’s possible for anyone to identify the individual somehow, though some database or technique or association (even if you could never do it yourself … someone could), then the information is identifiable.

I am sending a newsletter of health care tips to a list of people that does not seem to be ePHI, right?

Here is a good example of a case where the answer is “it depends.”  Is the information in the newsletter about the person’s past/present/future medical care or billing? Maybe, if this is a letter of tips on how to best recover from surgery, for example. If you are a doctor’s office and perform surgeries and send out this letter, that could be construed as ePHI. If, however, you are a general information web site where people can receive information about many different topics and you have no connection to the subscriber’s particular medical care, then this is not ePHI.

Who needs to worry about ePHI?

This has been a moving target over the years.

Currently, you have to protect all ePHI that you generate or come into contact (i.e., are given from patients) with per the HIPAA Security Rule if:

  1. You are a HIPAA Covered Entity:
    1. Care: You provide services or supplies related to an individual’s physical or mental health care. This includes (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure concerning the physical or mental condition or functional status of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or another item following a prescription.
    2. Provider: A provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the ordinary course of business.
    3. Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value added” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.
    4. Plan: With certain exceptions, an individual or group plan that provides or pays the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)). The law specifically includes many organizations and government programs as health plans.
  2. You are the Business Associate of a HIPAA Covered Entity. E.g., you perform services for such an entity and [may] come into contact with ePHI as part of your business with them.
  3. You are a Business Associate of a Business Associate. If you do business with any company that is itself a HIPAA Business Associate and, as a result, may come into contact with ePHI, then you must also be a Business Associate and protect that PHI.

The HIPAA Omnibus rule defines this transitive chain of possession such that all businesses that may come into contact with ePHI are responsible for that information’s privacy and security. This includes many companies that previously had no idea they had to be HIPAA-compliant and technically excludes them from doing business with the medical community until they are.

Who does not have to protect ePHI?

Anyone who is not a “Covered Entity” or “Business Associate” per HIPAA does not have to worry about ePHI … at least in terms of violating HIPAA. Everyone should be sensitive about protecting this information, anyway.

The patient is the most notable example of someone who does not have to abide by HIPAA and protect ePHI. The patient (in most cases) is an individual and does not fall under the umbrella of HIPAA. The patient can send whatever sensitive, private, identifiable, protected health information (about themselves) to anyone (their doctor included) without encryption, security, or any other trappings to ensure privacy. While such is not a good idea, no one will be “in trouble with HIPAA” for that action.

So, what if your patient sent you an insecure email from @aol.com with their complete medical history?

  1. You did not violate HIPAA by receiving it.
  2. They did not violate HIPAA by sending it.
  3. As this is ePHI and HIPAA covers you, you are now responsible for protecting this information with all the security and privacy due per HIPAA.

This means that from the moment that patient’s email hits your account, you must take all reasonable measures to safeguard it. This could mean:

  1. Immediately delete it if it was sent to a non-compliant account of yours. You might want to report this to HHS that ePHI was present in your insecure account and why. This is a reporting requirement and not necessarily a breach.
  2. Ensure that patients only know your HIPAA-compliant email address, so any messages they send to you are protected as soon as they arrive.
  3. Providing patients with an easy online mechanism to send you secure, HIPAA-compliant messages so that they are less likely to use their own insecure email systems. (e.g. like LuxSci SecureSend).

Where can I put ePHI when sending an email?

When sending an email, you automatically include “identifiable” information: the recipient’s email address. Where can you put the “protected health information” so that the to-be-encrypted email is adequately secured and compliant? There are generally (and specifically with LuxSci and most email providers) only two places:

  1. The message body
  2. Any attachments

The content in the email message headers, including the Subject line, will not be encrypted (it will during transport only if TLS is used) and can be logged by various servers on the internet. Many of those logs are not likely to be HIPAA-compliant. Protected health information should thus never be present in the subject of email messages — always put it in the body.*

*LuxSci has a feature in its secure email where you can hide email subjects until the recipient actually comes to the LuxSci portal and opens the message.  Until then the subject they see is just something like “You have received a secure message”.  This feature allows medical information to be in the subject and protects you from the risk of such information being accidentally breached by being included in the subject when the subject could be delivered insecurely.

Where else can I put ePHI at LuxSci?

HIPAA-compliant LuxSci customers can also store ePHI:

  1. In any App (e.g., calendar, address book, task list, blog, file storage, password storage, etc.)
  2. In any hosted Database.
  3. In Widgets (except custom ones that send data to 3rd parties).
  4. In files on dedicated web/file servers.*
  5. In SecureChat conversations
  6. in SecueVideo sessions
  7. In SecureText messages

* On dedicated servers, the files do not have to be encrypted on disk, but these files should not be publicly accessible over the web, and any website should be designed with HIPAA compliance in mind.

See LuxSci’s HIPAA Account Restrictions Agreement for more details.