What is considered ePHI?

Picture of Tim Davis

Tim Davis

Senior Cloud and Security Engineer

Share Post:


HIPAA Electronic Protected Health Information (ePHI)

Electronic protected health information or ePHI is defined in HIPAA regulation as any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or media. Some believe that only medical information is considered ePHI, however, that is not true. HIPAA regulation states that ePHI includes any of 18 distinct demographics that can be used to identify a patient. Here are some common examples of ePHI include:
  1. Name
  2. Address (including street address, city, county, or zip code)
  3. Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate/license number
  12. Vehicle identifiers, serial numbers, or license plate numbers
  13. Device identifiers or serial numbers
  14. Web URLs
  15. IP address
  16. Biometric identifiers such as fingerprints or voice prints
  17. Full-face photos
  18. Any other unique identifying numbers, characteristics, or codes
Additionally, HIPAA sets standards for the storage and transmission of ePHI. Media used to store data includes:
  • Personal computers with internal hard drives used at work, home, or while traveling
  • External portable hard drives
  • Magnetic tape
  • Removable storage devices, including USB drives, CDs, DVDs, and SD cards
  • Smartphones and PDAs
Means of transmitting data via wifi, Ethernet, modem, DSL, or cable network connections includes:
  • Email
  • File transfers

Confidentiality, Integrity, Availability of ePHI

The HIPAA Security Rule sets specific standards for the confidentiality, integrity, and availability of ePHI. HIPAA beholden entities including health care providers (covered entities) and health care vendors/IT providers (business associates) must implement an effective HIPAA compliance program that addresses these HIPAA security requirements. These can be broken down into:
  • Confidentiality is maintaining that ePHI is not illegally disclosed without proper patient authorizations in place
  • Integrity is ensuring that ePHI that is transferred or maintained by a health care organization will not be accessed except by appropriate and authorized parties
  • Availability is allowing patients to access their ePHI in accordance with HIPAA security standards
Revion offers a uniquely designed cloud based HIPAA compliance ready hosting platform. As a result, it is built to deliver performance, reliability, and security for those in the healthcare industry. To talk to one of our HIPAA specialists, please click here:  https://www.revion.com/company/contact/

Stay Connected

More Updates

Log4j2 Vulnerability

Revion is not using Log4j2 tool for apache-tomcat, we are using default lightweight API – Java logging API — java.util.logging. Additionally, we are not exposing

Bind/DNS services upgraded

To address security vulnerability discovered in Bind 9.8.1. we have upgraded all bind dns servers to 9.8.1.-P1