Health data is the lifeblood of the medical industry.

It’s also currency in the world of hackers, as clearly seen in the 2017 Wannacry ransomware attack. Patient information is, by nature, sensitive, and health insurance claims are common PHI (protected health information). Hospitals and medical practices depend on PHI to understand a patient’s medical history to add context to a person’s health. But they also need to learn and implement the proper safeguards to ensure that stored PHI is not compromised.

What is ePHI?

ePHI (electronic PHI) is identifiable patient information stored and shared electronically. ePHI refers to data that a medical professional collects and stores to determine and provide proper care.

Eighteen specific identifiers of patient demographics are considered PHI according to HIPAA (Health Insurance Portability and Accountability Act). They include:

• Name
• Address
• Months and days directly related to an individual
• Social Security number
• Health plan beneficiary number
• Certificate/license numbers
• Web URLs
• Biometric identifiers such as fingerprints or voice prints
• Full-face photos
• Other unique identifying numbers, characteristics or codes (e.g. telephone number, email address, medical record number, account number, vehicle identifiers, device identifiers or serial numbers, and internet protocol (IP) address)

Some examples of ePHI include:

Examples of ePHI

• Emailed lab results or blood test reports
• Appointments and procedures stored on an e-calendar
• E-prescriptions
• Stored x-rays, MRIs or other digital photographs of a patient
• Patient notes stored in a mobile device

HIPAA regulations set the standard for the creation, storage, transmission and receipt of ePHI. The HIPAA Security Rule specifies that health care-related providers, vendors, and IT companies follow standards to restrict unauthorized access to PHI. The HIPAA Security Rule helps maintain the confidentiality to prevent illegal disclosure, integrity required to authorize and authenticate use by medical personnel, and availability that allows patient access of ePHI. The HIPAA Privacy Rule guides how health care organizations use and share PHI, with patients when necessary, as well as limits which PHI health care organizations can collect from patients, share with other organizations or use as marketing material.

What is not ePHI?

What, then, does not qualify as ePHI in the digital age? ePHI is only considered “protected information” when, 1) it is maintained by a HIPAA-covered entity or business associate, and 2) it can identify a specific individual.

That means that health information stored in school or employment records is not ePHI, nor is the professional information of medical staff. Additionally, patient health data can be completely stripped of identifiers (those mentioned above). If that data is stripped of identifiers, it is no longer protected information and HIPAA’s restrictions on use and disclosure no longer apply. That stripped data is referred to as de-identified or anonymized data and can be added to databases and ultimately provide insight into general populations and value care-based programs.

Additionally, consider the existence of Apple Health Records, glucose trackers, heart rate monitors and even period trackers. Health apps abound and they collect information that could very well be classified as ePHI. However, that data doesn’t fall under HIPAA rules because the app wasn’t created for the use of a physician. A patient’s own knowledge of their health data doesn’t fall under HIPAA either. They’re free to share their own information to their heart’s desire.

Determining what data is or isn’t considered ePHI is tricky. Context can always help accurately identify ePHI and prevent patients from inadvertently violating HIPAA.

• How and where is patient information being used?
• Are you sharing personally identifiable health data with a covered entity? 
• Can you match any of the patient information to another individual? 

How to ensure ePHI compliance

ePHI must be protected in your organization, whether you are a covered entity or a business associate. After all, ePHI noncompliance can result in employee termination or civil and criminal penalties. “Covered entities” are health care providers, health insurance clearinghouses and health plans. “Business associates” are businesses that provide services to and in partnership with covered entities. This includes software developers who create programs and apps for the health care industry, and hospital data storage providers.

If you don’t have safeguards in place to ensure patient privacy, conduct an audit to assess what level of security your organization has. Risk assessments will uncover any gaps, identify where ePHI is stored and detail the current flow of information. You can then create recovery plans to address any vulnerabilities and weaknesses, implement solutions that will help maintain security, and standardize ePHI storage and transmission.

What are the penalties of noncompliance?

Swedish Covenant Hospital nurse Justine Lee (BSN, RN) witnessed what can happen when medical staff are implicated in an ePHI noncompliance scandal. After actor Jussie Smollett was indicted for lying to police, about 80 medical professionals at Northwestern Memorial Hospital were swiftly fired when it was determined they had improperly viewed Smollett’s medical records.

Once Smollett acknowledged he had lied about being attacked, a lawsuit was filed, and as a result, his medical records were audited. At Northwestern Memorial, whenever a hospital employee opened a patient file, the employee’s name is recorded, along with the date and time. The audit revealed practitioners who had no line of care to Smollett viewed his files, a clear HIPAA violation. “HIPAA protects patient medical information from the moment they make an appointment or get admitted, to the bills they pay, to the outpatient services they do,” Lee said. “Anyone who isn’t directly involved with that patient is looking into medical information illegally.”

Lee explained there’s a blurred line when it comes to looking at patient files. In some scenarios, HIPAA allows medical professionals to access or restrict patient information, even without consent. But that’s only if it’s considered the best way to keep their health information private and safe. For example, Lee recalls the need for ICU nurses to look at the files of emergency room patients before they’ve officially arrived at the ICU, so they’re prepared for the incoming admission.