What is electronic protected health information (ePHI)?
According to the US Department of Health and Human Services, electronic protected health information (ePHI) is any protected health information (PHI) that is created, stored, transmitted, or received electronically. All protected health information is subject to federal Health Insurance Portability and Accountability Act (HIPAA) regulation, which refers to any information that identifies an individual (usually a patient) and relates to at least one of the following:- The individual's past, present, or future physical or mental health
- The provision of health care to the individual
- Past, present, or future payment for health care
Data are "individually identifiable" if they include any of the 18 types of identifiers for an individual or for the individual's employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual. These identifiers are:
- Name
- Address (all geographic subdivisions smaller than state, including street address, city, county, or ZIP code)
- All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
- Telephone numbers
- FAX number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Any vehicle or other device serial number
- Device identifiers or serial numbers
- Web URL
- IP address
- Finger or voice prints
- Photographic images
- Any other characteristic that could uniquely identify the individual
The "e" in ePHI
Electronic protected health information (ePHI) includes any medium used to store, transmit, or receive PHI electronically. The following and any future technologies used for accessing, transmitting, or receiving PHI electronically are covered by the HIPAA Security Rule:- Media containing data at rest (storage)
- Personal computers with their internal hard drives used at work, home, or traveling
- External portable hard drives, including iPods and similar devices
- Magnetic tape
- Removable storage devices, such as USB memory sticks, CDs, DVDs, and floppy disks
- PDAs and smartphones
- Data in transit, via wireless, Ethernet, modem, DSL, or cable network connections
- File transfer
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is set of statutes designed to improve the efficiency and effectiveness of the US health care system:- Title I: Title I of HIPAA provides rules to "improve the portability and continuity of health insurance coverage" for workers when they change employers.
- Title II: Title II of HIPAA provides rules for controlling health care fraud and abuse, and includes an "Administrative Simplification" section that sets standards for enabling the electronic exchange of health information.
- The Privacy Rule protects the privacy of individually identifiable health information. For more, see Privacy Rule on the OCR web site.
- The Security Rule sets national standards for the security of electronic protected health information (ePHI). For more, see Security Rule on the OCR web site.
At Indiana University, compliance with the HIPAA privacy and security rules is coordinated through the Office for Clinical Affairs, with the interim HIPAA Privacy Officer and interim HIPAA Security Officer. For more about HIPAA compliance at IU, see the HIPAA Compliance page.
For more about HIPAA and the HITECH Act, see these US Health and Human Services pages:
- HIPAA Administrative Simplification Statute and Rules
- Summary of the HIPAA Privacy Rule
- Summary of the HIPAA Security Rule
- HITECH Act Enforcement Interim Final Rule
No comments:
Post a Comment