The HIPAA laws define protected health information (PHI) as any data that can be used to identify a patient. And when that information is in electronic format, it’s considered e-PHI. No matter which form your PHI is, you must keep that data locked down, or you could face huge fines and penalties. But not all information in your files qualifies as e-PHI.
Check out three signs that you’re dealing with e-PHI, and three indicators that you aren’t.
3 Signs You’re Dealing With e-PHI
You’re most likely dealing with protected health information in the following scenarios.
1. The Information Has one of 18 Identifiers on It
You probably already know that records with a patient’s name, address, Social Security number or other personally identifiable information is classified as PHI. However, HIPAA actually lists 18 identifiers that qualify as PHI, and not all of them are familiar to every practice.
For instance, any license plate number would qualify as e-PHI. So if you keep a log on your computer listing patients’ license plate numbers that qualify for free parking at your hospital, that would be considered e-PHI, and if you lost it, you’d have a breach.
2. The Data Is Held by a Covered Entity
Even if the data includes one of the 18 HIPAA identifiers, it’s not necessarily e-PHI. That’s because it must also be maintained by a covered entity or a business associate who’s acting for the covered entity. For instance, suppose a parent has their child’s vaccine schedule in a drive on a home computer that’s later hacked. Because the parent is not a covered entity or a business associate of the provider, it’s not considered e-PHI.
3. It’s in an Electronic Format
Even non-electronic PHI is protected under the HIPAA laws, but it’s important to know which types of e-PHI exist. You may think it’s limited to your electronic health records, computers and iPads, but it’s so much more. For instance, if you have a digital camera with patients’ pictures stored on it, that’s ePHI. So are email messages that include patient email addresses or names. Everything that can identify your patients on any electronic format is considered e-PHI.
3 Signs You Aren’t Dealing With e-PHI
The government is very strict about what qualifies as e-PHI. In most cases, the following are not considered protected health information, but always talk with a qualified healthcare attorney if you’re ever unsure.
1. It’s Not Connected to Personally Identifiable Information
Even if you have information about medical treatments or diagnoses, it’s not considered e-PHI if someone who accesses it can’t identify anyone from it. For instance, suppose you keep a log of the number of COVID-19 vaccinations you performed yesterday. The log is kept on an iPad, which ends up being stolen from your practice.
Although the list includes medical information — the number of COVID-19 vaccines you gave — no patients can be identified through it. The list is only a tally of how many you administered, without names, addresses, genders or any other personally identifiable information.
2. Health Information a Patient Self-Records on Personal Devices
Suppose a patient maintains a record of their blood pressure readings on their smartwatch so they can tell the doctor about it at their next visit. They then lose the smartwatch and cannot find it. Although this contains personally identifiable information, the patient is not a covered entity under HIPAA. Since the patient lost their own data and it hadn’t been transmitted to your practice electronically or otherwise, it’s not considered e-PHI.
3. De-Identified Data
If your records have been de-identified, then they’re no longer subject to the HIPAA laws. This includes any e-PHI that has been thoroughly scrubbed of all HIPAA identifiers. For instance, suppose you have a lab report listing pathology results for a breast cancer biopsy. However, the patient information has been deleted from the report and it only identifies “the patient,” such as “The patient’s sample was stained and prepared…”
Once all PHI has been de-identified, the data no longer qualifies as e-PHI.
It’s all too easy to breach the HIPAA rules without even realizing it — just one errant text can cause disaster. That’s why it’s imperative that you secure all of your PHI. Get legal advice from healthcare attorney Iliana Peters, JD, LLM, CISSP, during her latest online training, NEW HIPAA Compliant Texting Guidance: Avoid Audits & Penalties. Register today!
 |
Subscribe to Healthcare Practice Advisor |
| Get actionable advice to help improve your practice’s reimbursement, compliance, and success in this weekly eNewsletter. |
|
| [gravityform id="90" title="false" description="false"] |
The post 3 Signs You’re Dealing With e-PHI and 3 Signs You Aren’t appeared first on Healthcare Training Leader.