Tech & Innovation in Healthcare

Reader Question:

Ensure You’re Protecting Your Patients’ ePHI

Published on Fri Dec 01, 2023

Question: A coworker in our practice’s front office keeps telling me ePHI isn’t a thing and that I shouldn’t worry about it, but I disagree.

Which one of us is right?

Kansas Subscriber

Answer: You should absolutely prioritize every patient’s protected health information (PHI), regardless of whether the information is on paper or in an electronic format — also known as electronic PHI or ePHI.

PHI is best defined as “all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral,” reminds the HHS Office for Civil Rights (OCR) in its HIPAA Privacy Rule guidance.

The HIPAA Privacy Rule identifies 18 items as “individually identifiable health information” that are considered PHI:

Name
Address
Birth date and other corresponding dates of admission, discharge, death, etc.
Landline and cellphone numbers
Fax numbers
Email addresses
Social Security Number
Medical record number
Health plan beneficiary number (i.e. Medicare Beneficiary Identifier)
Account number
State identification or license number
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
URLs
IP addresses
Biometric identifiers like finger or voice prints
Photo or image of patient, specifically the face
Any other unique code, characteristic, image, or number that identifies the individual.

The HIPAA Security Rule also protects certain information covered by the Privacy Rule, which includes “all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form,” according to the U.S. Department of Health and Human Services (HHS) website.

Additionally, the Security Rule instructs covered entities (CEs), such as healthcare providers, health plans, or healthcare clearinghouses, to take the appropriate measures to protect ePHI through administrative, technical, and physical safeguards. You must never disclose PHI or ePHI to unauthorized persons, or you’ll be in violation of HIPAA’s Privacy and Security Rules.

Tech & Innovation in Healthcare

Digital Health:
Conquer Remote Patient Monitoring Obstacles
Understand what the FDA defines as a medical device. Healthcare providers use remote patient monitoring [...]

Artificial Intelligence:
Learn How President Biden’s AI Executive Order Affects Healthcare
Will new regulations hinder innovation? On Oct. 30, 2023, President Joseph Biden signed an Executive [...]

Virtual Reality:
Stay Calm When Reporting VR Procedural Dissociation With These Coding Tips
Plus, find out what services are not covered by 0771T-+0774T. Virtual reality (VR) is a [...]

Reader Question:
Learn Why You Should Ethically Hack Your Network
Question: What’s the difference between white and black hat hackers? Washington Subscriber Answer: The difference between white [...]

Reader Question:
Provide Veterans With VR to Treat Chronic Conditions
Question: I work with a lot of veterans who suffer from chronic pain, mental health issues, [...]

Reader Question:
Ensure You’re Protecting Your Patients’ ePHI
Question: A coworker in our practice’s front office keeps telling me ePHI isn’t a thing and [...]

Reader Question:
Learn How to Document Digital E/M Codes
Question: A healthcare provider in our practice wants to use the digital E/M codes, but we’re [...]

View All