electronic protected health information (ePHI)

Electronic protected health information (ePHI) is protected health information (PHI) that is produced, saved, transferred or received in an electronic form. In the United States, ePHI management is covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

In HIPAA documentation, any organization or corporation that directly handles ePHI is referred to as a covered entity. All covered entities, including hospitals, doctors' offices and health insurance providers must abide by HIPAA Security Rule guidelines when handling ePHI. This includes ePHI data at rest as well as ePHI data in transit.

According to the HIPAA Security Rule, covered entities must ensure the confidentiality, integrity, and availability (CIA triad) of all e-PHI they create, receive, maintain or transmit. This includes identifying and protecting against reasonably anticipated threats to the security or integrity of the information.

Because the health care marketplace is so diverse, the Security Rule for ePHI is designed to be flexible and allow covered entities to implement policies, procedures and technologies that are appropriate to the entity’s size, capabilities and risk appetite. To help covered entities plan appropriately, the HIPAA Security Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity and availability of e-PHI.

Administrative Safeguards for ePHI Security

Identify and analyze potential risks to e-PHI and implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.

Designate a security official to be responsible for developing and implementing its security policies and procedures.

Implement policies and procedures for role-based access to e-PHI.

Supervise workforce members who work with e-PHI.

Perform periodic assessments to determine how well security policies and procedures meet the requirements of the HIPAA Security Rule.

Physical Safeguards for ePHI Security

Limit physical access to facilities while still ensuring that authorized access is allowed.

Implement policies and procedures that specify proper use, transfer, removal and disposal of electronic media.

Technical Safeguards for ePHI Security

Implement technical policies and procedures that allow only authorized persons to access electronic protected health information.

Implement hardware, software and/or procedural mechanisms to log and analyze activity in information systems that contain or use e-PHI.

Implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed.

Implement technical security measures, such as encryption, that will guard against unauthorized access to e-PHI as it is being transmitted over an electronic network.