You probably come across the phrases PHI and ePHI frequently if you work for a company that is governed by HIPAA (Health Insurance Portability and Accountability Act).
But what are they actually, and do they differ from one another? And how do you specify what qualifies as PHI or ePHI? Although they seem simple, these questions might be challenging to answer.
What is PHI?
According to HIPAA, "all identifiable health information that is used, maintained, stored, or communicated by a HIPAA-covered entity" is referred to as PHI (Protected Health Information). Healthcare providers, insurers, or associates of a HIPAA-covered entity are examples of HIPAA-covered entities.
Additionally, any type of data or information pertaining to your health is regarded as PHI.
Test results, medical history, and private information like your name or social security number might all be included on this list. The HIPAA Privacy Rules state that certain personal identifiers must be kept private.
There are 18 unique patient identification numbers. Those are
Dates, except year
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Device identifiers and serial #
Internet protocol addresses
Full face photos and comparable images
Biometric identifiers (fingerprint, retinal scan)
Any unique identifying number or code
What is an ePHI?
Electronic Protected Health Information, or ePHI, is PHI that is created, stored, or sent electronically. Organizations were told to put new security measures in place to preserve the data and guarantee its sanctity and integrity once ePHI was first established in the HIPAA Security Rule.
ePHI can be found in many different digital formats, including cloud-based systems, email-based patient data sharing, and data stored on hard drives, computers, and flash drives. To protect ePHI from hackers and breaches, protocols must be regularly updated.
There are other pieces of information that are similarly significant but do not qualify as PHI or ePHI. Use the following rules to determine what is covered by PHI/ePHI:
Who made the recording of the data? HIPAA generally does not apply to self-recorded data on smart devices or apps unless they are linked to a healthcare practitioner or insurance plan.
Is the information contained in your records of work or education? HIPAA does not apply to these. Your allergies may be noted by your employer, but they won't be considered PHI.
Does the data include any personal identification numbers? If not, it won't be accepted by PHI or ePHI. Typically, scenarios like population health studies make use of such data.