Understanding HIPAA ePHI
HIPAA regulation identifies a national set of standards meant to protect the privacy and security of protected health information (PHI). When that PHI is maintained in an electronic or digital format, that’s called electronic protected health information (ePHI). In today’s increasingly digital age, it’s more important than ever before for behavioral health specialists to understand how to work with ePHI without violating federal HIPAA regulation.
What’s HIPAA ePHI?
Under HIPAA regulation, PHI is defined as any demographic information that can be used to identify a patient. The regulation identifies 18 key identifiers of demographic information that is considered PHI. Common examples of PHI include a patient’s name, date of birth, address, telephone number, medical record, insurance ID number, Social Security number, email address, and full facial photos to name a few.
HIPAA ePHI is distinct from PHI because it must be a form of PHI that is stored, transferred, maintained, or accessed in an electronic format.
That means that ePHI is any PHI that is stored on a computer, hard drive, or in any kind of cloud storage system. Additionally, ePHI is any health care information that is sent or transmitted via an electronic exchange, such as email. And if PHI is accessed electronically on a computer, workstation, mobile device, or laptop, that is also considered ePHI.
Under HIPAA regulation, behavioral health professionals must implement appropriate safeguards to ensure that ePHI is kept secure. These include:
- Physical safeguards: Any measures that can be taken to protect the physical security of your office or a location where ePHI is stored. This can include door locks, alarm systems, or locked server/device cabinets.
- Technical safeguards: Any measures that can be taken to ensure the technical security of ePHI. Examples include firewalls, device encryption, network encryption, email encryption, anti-malware, or any cybersecurity initiatives.
- Administrative safeguards: Any measures that your practice can take to mitigate human error and establish administrative procedures for handling ePHI. This includes employee training, HIPAA and cyber-security training, and HIPAA policies and procedures.
Because of the rise of EHR platforms and telehealth technologies that allow for remote treatment, ePHI is at more risk than ever before of serious data breaches if appropriate protections are not put in place. Protect your behavioral health practice from an ePHI breach with an effective HIPAA compliance program that addresses all elements of the regulation.
If you need assistance with HIPAA compliance, consider working with our TBHI affiliate, the HIPAA Compliancy Group. (When you purchase services from them, TBHI will be paid a small commission.) They can help you support your HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance. The Guard is built to address the HIPAA regulations, including guided walkthroughs of HIPAA Risk Assessments. With The Guard, you can focus on running your practice while keeping your patients’ data protected and secure.Compliancy Group’s team of expert Compliance Coaches® can also field questions and guide you through the implementation process, taking the stress out of managing compliance. Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.