What Qualifies as EPHI According to HIPAA? More Than You May Think . . .


The Problem: A Lack of Awareness

The HIPAA Privacy and Security rules center around what “covered entities,” such as medical practices, have to do to secure a very particular kind of information—what the law calls “protected health information” (PHI). Much of this information is now stored electronically, which the legislation refers to as EPHI (electronic protected health information).

Many practices don’t stop, though, to consider what information, exactly, constitutes EPHI. They assume that EPHI simply means medical records—charts, notes, and prescription information related to patient care. The problem is that, while these kinds of information certainly are EPHI, HIPAA’s definition is much broader. As a result, many practices that do a good job of protecting records, but are actually noncompliant because their security strategies do not cover the whole spectrum of EPHI.

What Is EPHI?

In short, HIPAA defines EPHI as “individually identifiable health information.” This means that there are essentially two components to information that qualifies as EPHI: 1) something that relates to someone’s health, and 2) something that identifies that person.

The first component is the more obvious one. HHS’s summary of the HIPAA Privacy Rule lays out these three categories of information related to a patient’s health:

  1. Information related to “the individual’s past, present, or future physical or mental health or condition”

  2. Information related to “the provision of health care to the individual”

  3. Information related to “the past, present, or future payment for the provision of health care to the individual”

The second component, which makes the information “individually identifiable,” is trickier. The principle at work here is that EPHI is any kind of health information that could be tied to a particular person. According to HHS, EPHI is information “for which there is reasonable basis to believe can be used to identify an individual.”

Identifying information varies widely. It would obviously include an individual’s name, social security number, and basic contact information (phone numbers, addresses, etc.). But it could also include photos or images of that person, fingerprints, account numbers, driver’s license numbers, or website addresses or IP addresses associated with that person.

Essentially, if someone could conceivably use a piece of information to find out a person’s identity, and it is tied to medical information about that person, it counts as EPHI

An Example: Appointment Calendar Entries

As mentioned above, many practices are inadvertently noncompliant because they think the only thing that counts as EPHI is medical records. One of the most common instances of unrecognized EPHI that we see involves calendar entries containing patient appointments.

Because an appointment already indicates that medical services will be rendered to a patient, all a calendar entry needs to become EPHI is something that identifies that patient—including a name or account number. This means that if the practice uses, say, an Exchange calendar to push out appointments to doctors’ or employees’ laptops, phones, and tablets, the practice is sending out EPHI to locations that may not contain adequate safeguards per HIPAA. If an appointment makes its way onto a personal or unencrypted laptop or smartphone calendar, then the EPHI in question is in breach of HIPAA.

There are certainly ways of putting safeguards in place to give doctors and necessary employees the ability to check appointment times on the go, but these require significant cybersecurity and compliance strategy to implement.

There are certainly other kinds of EPHI that fall through the cracks due to a lack of awareness of the whole spectrum of information that qualifies. Wondering whether a particular kind of information would constitute EPHI? Ask in the comments section below, or contact us today.