Protected health information (PHI) was first defined when HIPAA was enacted in 1996. HIPAA intends to protect patient privacy, while also giving individuals rights over their personal information. In the years since HIPAA was passed, technological advances have created significant changes in the way PHI is created and used, requiring updated policies for electronically protected health information or ePHI.
ePHI Defined
PHI refers to any data that was created, used, or disclosed while receiving healthcare services that could potentially identify an individual. HIPAA has a list of 18 identifiers for PHI that include things like names, geographical data, dates, photographs, or any unique identifying number. ePHI is PHI that you save, transfer, or receive in electronic form.
Here are some examples:
- Any medical information shared by email including lab and test results and appointment reminders
- Appointments and procedures stored on an e-calendar
- E-prescriptions
- Digital photographs, x-rays, and MRIs
- Health information stored on a hard drive, computer, flash drive, disk, cloud storage platform, or other digital device/system
Legal Compliance for ePHI
The HIPAA Privacy Rule applies to all forms of PHI, while the HIPAA Security Rule specifically applies to ePHI. The Security Rule details who is covered, what information is protected, and what safeguards must be in place to maintain the appropriate protection of ePHI. Protections must ensure the confidentiality, integrity, and availability of ePHI.
Confidentiality
ePHI must remain private and confidential except to the people and systems that you authorize to have access.
Integrity
You should never destroy or change it in any way that is not authorized to maintain its integrity.
Availability
ePHI should always be available and accessible to authorized individuals when needed.
There are three types of safeguards you must implement to properly protect it. Each one lays out a different set of procedures that need to be followed. These are the safeguard requirements:
Administrative
Administrative safeguards cover the processing of ePHI. They include guidelines for employee training, analyzing risk, security management and personnel, information access management, monitoring the use of ePHI, and security awareness.
Physical
Physical safeguards are in place to protect electronic information systems, equipment, and the buildings that house them. They include access controls for all facilities, procedures for the use and disposal of electronic media, and workstation security.
Technical
Technical safeguards are IT guidelines that protect ePHI while it’s transmitting over to an electronic network. They include encryption, monitoring for abnormalities, logging activity, integrity controls, and transmission security.
Compliance with HIPAA is critical as ePHI is highly valuable and frequently targeted by cybercriminals. Thieves use medical information to commit fraud, gain access to medical care or drugs, and even blackmail. Moreover, it has a much longer shelf-life than financial information and therefore sells higher on the black market.
Implementing HIPAA’s safeguards prevents criminals from gaining access to your records and ensures that your organization is not liable for fines or litigation due to non-compliance.
Medical Records Management for ePHI
Healthcare organizations and related businesses are responsible for taking the proper steps to maintain the confidentiality, integrity, and availability of ePHI managed through their electronic health record (EHR) system.
The use of an EHR to collect and use ePHI maintains compliance with the HIPAA Security Rule and HITECH’s Meaningful Use requirements. Additionally, EHR software and its equipment often have built-in security features. However, they are not always configured or enabled properly. You will need to make sure that you and your team understand these features to ensure that they are functioning correctly.
You will need to conduct a security risk analysis regularly and stay up to date on software updates and patches. This helps your organization to identify any potential security weaknesses and prevent unauthorized access to ePHI.
Protect ePHI with an EHR System from Record Nations
EHR systems make it easy to comply with HIPAA requirements and protect valuable ePHI. Our systems increase security, improve efficiency, and advance patient care. Give us a call at (866) 385-3706 or fill out the form to receive free quotes on an EHR system for your organization. Our experts will help you select a system that fits your needs and keeps your data safe.