What exactly is ePHI? Who has to worry about it? Where can it be safely located?
There is often a great deal of confusion and misinformation about what, exactly, constitutes ePHI (electronic protected health information) which must be protected due to HIPAA requirements. Even once you have a grasp of ePHI and how it applies to you, the next question becomes … where can I put ePHI and where not? What is secure and what is not?
We will answer the “what is ePHI” question in general, and the “where can I put it” question in the context of web and email hosting, and SecureForm processing at LuxSci.
What constitutes electronic Protected Health Information?
ePHI is “individually identifiable” “protected health information” sent or stored electronically. Protected health information refer specifically to three classes of data:
- An individual’s past, present, or future physical or mental health or condition
- The past, present, or future provisioning of health care to an individual
- The past, present, or future payment-related information for the provisioning of health care to an individual
“Individually identifiable” means information that can be somehow linked back to a specific individual (even if this is very indirect). There are 18 types of identifiers for an individual (listed below). Any of one these, combined with some kind of “protected health information” (e.g. an appointment with a particular doctor) would constitute ePHI.
- Address (all geographic subdivisions smaller than state, including street address, city, county, zip code)
- All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Any vehicle or other device serial number
- Device identifiers or serial numbers
- Web URL
- Internet Protocol (IP) address numbers
- Finger or voice prints
- Photographic images
- Any other characteristic that could uniquely identify the individual
As you can see, it is pretty easy to have ePHI!
An email message sent to an individual that says “your appointment with Dr. Shaw will be at 4pm on Friday” will be ePHI because the appointment with Dr. Shaw is “protected health information”, the email address itself makes it identifiable, and the fact that it is email makes it “electronic” (as opposed to a letter mailed the old fashioned way).
Where is the ambiguity? Seems pretty straight forward!
The definition of ePHI does seem very straight forward, but when you start examining particular cases, confusion arises. Here are some examples:
I’m sending an email to someone whose email address is clearly not identifiable, e.g. “firstname.lastname@example.org”…. therefore the message is not ePHI, right?
The definition of ePHI states that all email addresses, no matter what, are identifiable. Beyond that, at least people at AOL (in this case) will be able to match back the address to the actual person and thus identify the individual.
If it’s possible for anyone to identify the individual somehow, though some database or technique or association (even if you could never do it yourself … someone could), then the information is identifiable.
I am sending a newsletter of health care tips to a list of people, that does not seem to be ePHI, right?
Here is a good example of a case where the answer is “it depends”. Is the information in the newsletter about the person’s past/present/future medical care or billing? Maybe, if this is a letter of tips on how to best recover from surgery, for example. If you are a doctor’s office and perform surgeries and send out this letter, that could be construed as ePHI. If, however, you are a general information web site where people can receive information about many different topics and you have no connection to the subscriber’s particular medical care, then this is not ePHI.
Who needs to worry about ePHI?
This has been a moving target over the years.
Currently, you have to protect all ePHI that you generate or come into contact (i.e. are given from patients) with per the HIPAA Security Rule if:
- You are a HIPAA Covered Entity:
- Care: You provide services or supplies related to the physical or mental health care of an individual. This includes: (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
- Provider: A provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
- Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value added” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.
- Plan: With certain exceptions, an individual or group plan that provides or pays the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)). The law specifically includes many types of organizations and government programs as health plans.
- You are the Business Associate of a HIPAA Covered Entity. E.g. you perform services for such an entity and [may] come into contact with ePHI as part of your business with them.
- You are a Business Associate of a Business Associate. If you do business with any company that is itself a HIPAA Business Associate, and as a result may come into contact with ePHI, then you yourself must also be a Business Associate and protect that PHI.
The HIPAA Ombibus rule defines this transitive chain of possession such that all businesses that may come into contact with ePHI are made responsible for the privacy and security of that information. This includes many companies that previously had no idea they had to be HIPAA compliant and technically excludes them from doing business with the medical community in any way until they are.
Who does not have to protect ePHI?
Anyone who is not a “Covered Entity” or “Business Associate” per HIPAA does not have to worry about ePHI … at least in terms of violating HIPAA. Everyone should be sensitive about protecting this information, anyway.
The most notable example of someone that does not have to abide by HIPAA and protect ePHI is the patient. The patient (in most cases) is an individual and does not fall under the umbrella of HIPAA. The patient can send whatever sensitive, private, identifiable, protected health information (about him/herself) to anyone (their doctor included), without encryption, security, or any other trappings to ensure privacy. While such is not a good idea, no one will be “in trouble with HIPAA” for that action.
So, what if your patient does sent you an insecure email from @aol.com with their complete medical history in it?
- You did not violate HIPAA by receiving it.
- They did not violate HIPAA by sending it.
- As this is ePHI and you are covered by HIPAA, you are now responsible for protecting this information going forward with all the security and privacy due per HIPAA.
This means that from the moment that patient’s email hits your account, you must take all reasonable measures to safeguard it. This could mean:
- Immediately deleting it if it was sent to a non-compliant account of yours. You might want to report this to HHS that ePHI was present in your insecure account and why. This is a reporting requirement and not necessarily a breach.
- Ensuring that patients only know your HIPAA-compliant email address … so any messages that they send to you are protected as soon as they arrive.
- Providing patients with an easy online mechanism to send you secure, HIPAA-compliant messages, so that they are less likely to use their own insecure email systems. (e.g. like LuxSci SecureSend).
Where can I put ePHI when sending an email?
When sending an email, you automatically are including “identifiable” information: the recipient’s email address. Where can you put the “protected health information” so that the to-be-encrypted email is properly secured and compliant? There are generally (and specifically with LuxSci and most email providers) only 2 places:
- The message body
- Any attachments
The content in the email message headers, including the Subject line, will not be encrypted (it will during transport only if TLS is used) and can be logged by various servers on the Internet … and many of those logs are not likely to be HIPAA compliant. Protected health information should thus never be present in the subject of email messages — always put it in the body.*
*LuxSci has a feature in its secure email where you can hide email subjects until the recipient actually comes to the LuxSci portal and opens the message. Until then the subject they see is just something like “You have received a secure message”. This feature allows medical information to be in the subject and protects you from the risk of such information being accidentally breached by being included in the subject when the subject could be delivered insecurely.
Where else can I put ePHI at LuxSci?
HIPAA-compliant LuxSci customers can also store ePHI:
- In any App (e.g. calendar, address book, task list, blog, file storage, password storage, etc.)
- In any hosted Database.
- In Widgets (except custom ones that send data to 3rd parties).
- In files on dedicated web/file servers.*
- In SecureChat conversations
- in SecueVideo sessions
- In SecureText messages
* On dedicated servers, the files do not have to be encrypted on disk, but these files should not be publicly accessible over the web, and any web site should be designed with HIPAA compliance in mind.
See LuxSci’s HIPAA Account Restrictions Agreement for more details.