Which of the Following is Not Electronic PHI? Understanding ePHI and Its Implications

Aug. 15, 2024Olga Druchek
HIPAA
what is not ePHI?

When discussing Protected Health Information (PHI) within the context of electronic health records (EHR) and digital healthcare, it's crucial to understand what constitutes Electronic PHI and what does not. The distinction is essential for maintaining compliance with regulations like the Health Insurance Portability and Accountability Act (HIPAA). In this blog post, we'll explore what ePHI is and identify which types of information are not considered ePHI.

What Does ePHI Stand For?

Electronic Protected Health Information, commonly referred to by its acronym ePHI, refers to any protected health data created, stored, or transmitted electronically and covered under HIPAA regulations. Essentially this term describes any electronic versions of protected health records created, stored or transmitted securely under one entity such as HIPAA regulations.

What is ePHI in Healthcare?

In healthcare, ePHI includes a wide range of information that relates to a patient's health status, provision of care, or payment for healthcare services, as long as this information is handled electronically. Some examples include:

  • Electronic Medical Records (EMR): Digital versions of a patient’s medical history, diagnoses, medications, treatment plans, and test results.

  • Billing Information: Electronic records of insurance claims, payment details, and other financial transactions related to healthcare services.

  • Digital Imaging: Scans, X-rays, MRIs, and other medical images stored digitally.

  • Email Communications: Emails between healthcare providers discussing a patient's care.

  • Telemedicine: Video consultations and digital communications involving patient information.

ePHI Definition and Meaning

The definition of ePHI is crucial in the context of HIPAA compliance. ePHI is defined as any health information that is individually identifiable and stored or transmitted electronically. The "electronic" qualifier is what distinguishes electronic for from other forms of PHI (Protected Health Information), which can also exist in paper or verbal forms. The meaning of ePHI is tied to the requirement for extra security measures, as the digital nature of this information makes it more vulnerable to breaches.

Examples of ePHI

To further clarify, here are some common examples of ePHI:

  • Patient Portals: Information accessed by patients through secure online portals, such as test results, appointment schedules, and medication details.

  • Health Apps: Data collected by healthcare providers via apps that track patient health metrics.

  • Wearable Devices: Information from devices like fitness trackers or heart monitors when used by healthcare providers for patient care.

  • Automatic Logoff Systems: Systems that automatically log off users to prevent unauthorized access to patient information.

What is the Difference Between PHI and ePHI?

The main difference between PHI and ePHI lies in the medium through which the information is stored or transmitted. While PHI can exist in paper records, spoken communications, or other non-digital formats, ePHI specifically refers to health information that is handled electronically. This distinction is important because HIPAA mandates specific security measures for it, such as encryption, access controls, and audit logs, to protect it from unauthorized access.

HIPAA and ePHI

HIPAA outlines strict requirements for handling ePHI to ensure the privacy and security of patient information. These requirements include:

  • Access Controls: Implementing measures to ensure that only authorized individuals have access to ePHI.

  • Encryption: Protecting ePHI by converting it into a secure format that is unreadable without a decryption key.

  • Automatic Logoff: Systems that automatically log off users after a period of inactivity to prevent unauthorized access.

Failure to comply with HIPAA’s requirements for ePHI can result in significant penalties, including fines and legal actions. This makes it crucial for healthcare providers and associated entities to understand and correctly implement the necessary safeguards.

What Does Not Qualify as ePHI?

While the definition of ePHI is broad, it does not encompass all electronically stored information. Understanding what does not qualify as ePHI is just as important as knowing what does, to avoid unnecessary complications and ensure compliance with HIPAA regulations. Below are some key categories of information that do not fall under the ePHI classification:

  1. De-identified Health Information
    One of the most important exceptions to the ePHI category is de-identified information. HIPAA defines de-identified data as health information that has been stripped of all identifiers that could reasonably be used to identify the individual. When all these identifiers are removed, the data is considered de-identified and no longer falls under the protection of HIPAA. Since it cannot be linked back to an individual, it is not considered ePHI. De-identified data is often used for research, public health purposes, and other functions where individual identification is not necessary.

  2. Employment Records
    Another significant category that does not qualify as ePHI is employment records maintained by a covered entity in its capacity as an employer. While these records might contain health-related information, they are not considered ePHI if they are kept solely for employment purposes. Examples include:

    • Records of an employee’s sick leave

    • Details of workplace injuries or worker’s compensation claims

    • Health information related to occupational health and safety programs

  3. Educational Records
    Educational records are another type of information that does not fall under ePHI, even if they contain health-related information. These records are covered by the Family Educational Rights and Privacy Act (FERPA), which governs the privacy of student education records. Examples include:

    • Immunization records required by schools

    • Records of school-based health services

    • Health information in Individualized Education Programs (IEP)

Since these records are regulated by FERPA and not HIPAA, they do not qualify as ePHI, even when stored or transmitted electronically.

  1. Health Information Not Created or Received by a Covered Entity
    Not all health-related information is ePHI. For instance, health data that is created, received, or maintained by entities that are not covered by HIPAA does not qualify as ePHI. Examples include:

    • Health information stored on personal fitness apps or wearable devices (unless they are part of a covered entity’s healthcare operations)

    • Health data shared on social media platforms

    • Personal health records maintained by individuals for their use, without involvement of a healthcare provider or insurer

This information, although related to an individual's health, is not considered ePHI because it is not managed by a HIPAA-covered entity (such as healthcare providers, health plans, or healthcare clearinghouses) or their business associates.

  1. Non-health Related Information
    In healthcare settings, not all electronically stored information pertains to patient health. For example:

    • Financial data related to business operations that do not involve patient health information

    • Contact lists and business contracts that do not include patient details

Although these types of data may be stored electronically by healthcare entities, they do not qualify as ePHI since they do not include any PHI.

An Example of a Breach of ePHI Is...

An example of a breach involving it might include a situation where a healthcare provider’s email system is hacked, and patient records containing identifiable health information are exposed. Another example could be a lost or stolen laptop containing unencrypted patient data. These breaches can lead to unauthorized access to sensitive health information, violating HIPAA regulations and potentially resulting in significant fines and reputational damage.

Summary

While electronic medical records, digital images, and electronic billing information clearly fall into ePHI categories, other kinds of information - like de-identified data, employment records, or educational files- do not.

Understanding these distinctions is critical for regulatory compliance and for managing healthcare data securely and efficiently. By correctly identifying and protecting electronic protected health information (ePHI), healthcare organizations can meet legal obligations while safeguarding patient privacy while upholding the trust that underpins healthcare delivery systems.

When in doubt about whether certain data qualifies as electronic protected health information (ePHI), consulting with an outside compliance expert or legal advisor is always recommended to remain compliant with HIPAA regulations while simultaneously managing and safeguarding information within your organization efficiently and safely.