The terms PHI and ePHI are mentioned quite often on our blog. I've even wondered myself if I'm using the terms correctly.
This post will clarify the similarities and differences between protected health information and electronic protected health information.
As a recap, the Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information.
As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.
PHI stands for protected health information and refers to any information about an individual's health or health care that can be used to identify the individual and that is held by a covered entity or business associate.
PHI isn’t just confined to medical records and test results. In fact, any information that can identify a patient and is used or disclosed during the course of care is considered PHI. Even if the information by itself doesn’t reveal a patient’s medical history, it is still considered PHI.
As a general guideline, any information that can reasonably be used to identify an individual and is used during the course of care is considered PHI.
ePHI stands for electronic protected health information and refers to PHI that is stored or transmitted electronically (e.g. in a computer system, over a network).
In 2005, the HIPAA Security Rule went into effect. It should be noted that while the HIPAA Privacy Rule safeguards PHI, the Security Rule protects a subset of information covered by the Privacy Rule.
In a nutshell, the HIPAA Security Rule applies to all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form, or ePHI.
It should be noted the HIPAA Security Rule does not apply to PHI transmitted orally or in writing.
See also: How to properly dispose of electronic PHI under HIPAA
In a nutshell, ePHI is a subset of PHI that specifically refers to electronic forms of protected health information.
In addition, the HIPAA Privacy Rule applies to the safeguarding of PHI, while the HIPAA Security Rule applies solely to the protection of ePHI.
One last note, protected health information transmitted via email is technically ePHI, although we interchange the terms PHI and ePHI quite often on this blog when discussing topics related to HIPAA compliant email.