Under HIPAA, any information that can be used to identify a patient is considered Protected Health Information (PHI). PHI in electronic form — such as a digital copy of a medical report — is electronic PHI, or ePHI. Although HIPAA has the same confidentiality requirements for all PHI, the ease with which ePHI can be copied and transmitted requires special safeguards to prevent breaches.
What is Protected Health Information? Anything related to health, treatment or billing that could identify a patient is PHI. This includes:
- Dates (e.g. birthdate, date of treatment)
- Location (street address, zip code, etc.)
- Contact numbers (phone number, fax, etc.)
- Web contact information (email, URL or IP)
- Identifying numbers (Social security, license, medical account, VIN, etc.)
- Physical identity information (photo, fingerprints, etc.)
Under the HIPAA Privacy Rule, PHI can generally only be used to furnish medical services and process payments. There are also a few special cases when PHI must be disclosed, such as under a court-ordered warrant. Medical information that has been de-identified — stripped of all identifying information — is no longer subject to the HIPAA Privacy Rule, and can be used for other purposes, such as case studies.
What is ePHI security? The HIPAA Security Rule governs how PHI protected. Its Technical Safeguards play a central role in protecting HIPAA ePHI through access control. Many of these safeguards are security best practices, including:
- Unique accounts for each user
- Strong passwords and (ideally) multi-factor authentication
- Providing each user the minimum ePHI access required to do their job
- Recording all access and changes to ePHI
Providers needs to protect ePHI anywhere it goes, using client-side encryption. Encryption scrambles data so that it can only be deciphered by an authorized user, using a string of data called the key. This ensures that, if a malicious actor intercepts the data, they will not be able to read it.
By using encryption to protect all ePHI including communications with patients, business associates and other healthcare providers, organizations can greatly reduce the chance of a HIPAA breach.
Although Technical Safeguards are central to securing ePHI, Physical Safeguards (protecting workstations) and Administrative Safeguards (training and auditing) also play a crucial role. Organizations should use a complete HIPAA compliance checklist that protects patient confidentiality everywhere — not just in the cloud.
How can patients and providers secure HIPAA ePHI? Healthcare portals are a common way to communicate with patients. Unfortunately, they are complex and inconvenient, and providers have struggled to convince patients to use them. This undermines efforts to meet HITECH compliance meaningful use requirements, and undermines healthcare data security.
HIPAA compliant email from Virtru allows patients and professionals to communicate securely using their own email accounts, improving security and helping organizations meet meaningful use goals.
Protect ePHI with Virtru Pro. Virtru Pro provides military-grade encryption with consumer-grade ease-of-use. The application automatically manages encryption keys, allowing users to encrypt email attachments and messages with a single click. Integrated with our Google Apps (now known as G Suite) Encryption, it provides a complete HIPAA ePHI solution, safeguarding patient data in the cloud.
Make HIPAA compliance easy with Virtru Pro.