Software Associates specialize in HIPAA security and compliance for Israeli medical device companies – and 2 questions always come up: “What is PHI?” and “What is electronically protected health information?”
Of course, you will have already Googled this problem and come to one conclusion or another by surfing sites like Hipaa Compliance Made Easy or the Wikipedia entry on HIPAA.
But you may ask – “Can I entrust my security and compliance implementation to Dr. Google?” And – the answer is no.
Most of the content on the Net on this topic is unclear, outdated and predate the implementation of the HIPAA Final Rule in October 2013 and many articles confuse privacy and security. Much of the content is blatantly self-serving marketing collateral for security products like this plug for a firewall product and this pitch by Checkpoint to register on their web site.
Then, there is a distinct American flavor to the Final Rule which makes it even more confusing for non-American readers who have to try and grasp why payment in cash is related to privacy. (Hint – in Europe, privacy is a fundamental human right unrelated to money).
When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.
But – although Congress low-balled the cost to the American healthcare industry for compliance in order to get the bill approved – for all of the law’s American peculiarities, the HIPAA Final Rule is well thought out and a good example of how to use free market forces to enforce security and compliance. That however – will be a topic for another post.
For now we want to find a precise answer to the questions “What is PHI?” and “What is EPHI?”
Careful reading of the law itself clearly shows 2 things:
A. PHI (Protected health information) is health / clinical data mixed with PII (personally identifiable information, which is basically having enough information to steal someone’s identity in the US) stored and transmitted verbally or on paper.
B. EPHI (Electronic Protected health information) is PHI transmitted and/or stored electronically.
See HIPAA Administrative Simplification
Regulation Text 45 CFR Parts 160, 162, and 164
(Unofficial Version, as amended through March 26, 2013)
Notes – definitions of PHI
Electronic protected health information means information that comes within
paragraphs (1)(i) or (1)(ii) of the definition of protected health information
as specified in this section.
(1) Protected health information means individually
identifiable health information that is:
(i) Transmitted by electronic media;
(ii) Maintained in electronic media; or
(iii) Transmitted or maintained in any other form or medium.
(2) Protected health information excludes individually identifiable health
(i) In education records covered by the Family Educational Rights
and Privacy Act, as amended, 20 U.S.C. 1232g;
(ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
(iii) In employment records held by a covered entity in its role as employer; and
(iv) Regarding a person who has been deceased for more than 50 years.
Individually identifiable health information is information that is a subset of
health information, including demographic information collected from an
(1) Is created or received by a health care provider, health
plan,employer, or health care clearinghouse; and
(2) Relates to the past,
present, or future physical or mental health or condition of an individual; the
provision of health care to an individual; or the past, present, or future
payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the
information can be used to identify the individual.