Key Points

• ePHI stands for electronic Protected Health Information and is regulated under HIPAA to ensure that any ePHI stored, transmitted, or received is safeguarded.
• The HIPAA Security Rule mandates specific safeguards categorised into administrative, physical, and technical measures to protect ePHI.
• Healthcare organisations must establish comprehensive policies, conduct regular risk assessments, and provide ongoing employee training to protect ePHI and remain compliant with HIPAA.
• Metomic helps healthcare organisations achieve and maintain HIPAA compliance by offering a comprehensive platform that simplifies and streamlines compliance processes.

The HIPAA Journal reports that in 2023, a record-breaking 133 million healthcare records were ‘exposed, stolen, or otherwise impermissibly disclosed.’

Due to the sensitive nature of the data healthcare organisations collect and store, they are often a target for hackers, but they must also protect data from insider threats such as disgruntled, or simply negligent, employees.

If an organisation is required to comply with HIPAA, they must put measures in place to protect all types of data, including ePHI.

What is meant by ePHI? How is it related to HIPAA?

ePHI stands for electronic Protected Health Information, and it’s protected under HIPAA regulations. Organisations must ensure that any ePHI that is stored, transmitted or received is effectively safeguarded to prevent patient data being put at risk.

In order to comply with the HIPAA Security Rule, healthcare professionals must put administrative, physical, and technical measures in place to secure sensitive patient information.

What is an example of ePHI data?

A patient’s medical record, containing ePHI, could be stored in a hospital’s database. This record might include the patient's name, diagnosis, treatment plan, medications, and billing information - all of which are considered sensitive and must be protected under HIPAA.

What is the difference between ePHI and PHI?

Whereas PHI covers any health information related to an individual, ePHI specifically refers to electronic health data. PHI can refer to data stored on paper, shared verbally, and exchanged electronically.

ePHI includes the same 18 identifiers as PHI, which are:

1. Names
2. Address
3. Dates (excluding years) relating to individual e.g. birthday, admission date
4. Phone numbers
5. Email addresses
6. Fax numbers
7. Social Security Number (SSN)
8. Medical record number
9. Health plan beneficiary number
10. Account number
11. Certificate or license number
12. Vehicle identifiers
13. Device identifiers
14. Web URL
15. IP address
16. Finger or voice print
17. Photographic images
18. Any other identifying information

What are the HIPAA requirements for protecting ePHI?

The requirements for protecting ePHI fall under the HIPAA Security Rule. The Security Rule establishes standards to ensure the confidentiality, integrity, and availability of ePHI that a covered entity creates, receives, maintains, or transmits.

The safeguards mandated by the Security Rule are categorised into administrative, physical, and technical safeguards:

Administrative safeguards

These can include measures such as conducting risk assessments, arranging regular employee training, and building out procedures to ensure that sensitive data isn’t accessed by unauthorised users. There should also be incident response plans in place, in case the data were to be accessed by hackers or insider threats.

Physical safeguards

Data needs to be protected at a physical level, with facility access controls and strong passwords to minimise the risk to sensitive patient data. Employees should also be aware that they should not leave devices unattended, and there should be measures in place to prevent natural disasters such as fires or floods affecting servers.

Technical safeguards

Access controls, transmission security, and integrity controls must be implemented to protect patient data from a technical standpoint. Data should also be encrypted to mitigate the risk of unauthorised users accessing personal information, including sensitive health data.

What do healthcare organisations need to do to protect it and remain compliant?

There are a few steps healthcare organisations can take to ensure they’re protecting patient data, as well as remaining compliant with HIPAA:

1. Put comprehensive policies in place that include the protection of ePHI, to establish security procedures that the entire workforce is aware of.
2. Conduct regular risk assessments to ensure that ePHI vulnerabilities are managed effectively, and risks are mitigated.
3. Regularly provide employee training so that they’re aware of HIPAA regulations and the importance of protecting ePHI.
4. Use encryption methods to protect sensitive patient data during transmission and at rest.
5. Monitor data movements closely to understand where data is stored, who has access to it, and whether they are downloading it.
6. Implement effective access controls to allow only authorised users to view or edit ePHI.
7. Ensure administrative, physical and technical security solutions are in place to minimise sensitive data exposure, including data security solutions, and device controls.

How can Metomic help?

Metomic can assist healthcare organisations in achieving and maintaining HIPAA compliance by providing a comprehensive platform that streamlines compliance processes:

• Data Discovery: Metomic helps identify and document ePHI, ensuring visibility into where data is stored and processed.
• Data Minimisation: Automated rules reduce the amount of redundant data, minimising the attack surface and enhancing security.
• Employee Education: Metomic provides tools to deliver continuous education and training on data security best practices, fostering a culture of healthcare compliance.
• Compliance Reporting: The platform offers reporting functionalities to monitor compliance efforts, track progress, and generate necessary documentation for audits.

Request a personalised demo with one of Metomic's data security experts to see how Metomic can help your organisation comply with HIPAA regulations and protect ePHI effectively.