According to the Department of Health and Human Services (HHS), the U.S. didn’t have an accepted national standard for securing healthcare information before 1996. Electronic Protected Health Information (ePHI) was far less common, and most efforts to protect sensitive patient information were company-specific initiatives.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was the first federal standard in the United States for protecting sensitive healthcare information. HIPAA covers both digital information — called Electronic Protected Health Information (ePHI) — and sensitive information in non-digital formats.
Lawmakers realized that technology would rapidly develop in the healthcare sector, so they passed HIPAA to ensure patient data remained under lock and key in an age of increasing access.
But with the increasing digitization of healthcare — particularly through telehealth — it’s becoming harder for providers to lock down every snippet of patient data in a digital-first care environment.
However, HIPAA is a serious challenge for healthcare providers. If you fail to secure HIPAA-covered information, you risk losing your credibility and patients — and it can even put you at risk for penalties, fines, and legal action. Above all, the most serious consequence is that if ePHI is not secure, patient safety is at risk. To complicate matters further, healthcare providers increasingly rely on the ability to share and access patient information. That means balancing the need for shareability with the need to protect sensitive patient information.
- What is ePHI?
- What is Not ePHI?
- The Evolution of ePHI
- HIPAA’s ePHI Requirements
- How to Comply with HIPAA’s ePHI Requirements
- The Expanding Attack Surface Poses ePHI Security Challenges
- Reduce ePHI Overwhelm with Tausight
What is ePHI?
Protected Health Information (PHI) is any piece of healthcare data that can identify a specific patient. If you digitize this information in any way, it’s called Electronic Protected Health Information (ePHI). This includes patient data in formats like:
- Digital medical reports or scans
- Calendar appointments
- Telehealth platforms
ePHI isn’t just patient diagnoses, prescriptions, or treatment plans. It is any identifying piece of information, which can include:
- Dates of treatment
- Date of death
- Phone number
- IP address
- Social security number
- Driver’s license number
HIPAA requires that all PHI and ePHI are adequately protected due to the sensitive nature of the information.
What is Not ePHI?
HIPAA doesn’t apply if you strip the data of all identifying information. For example, you may be able to anonymize and aggregate diagnostic data for case studies or research purposes, as long as the information can’t be used to identify your patients.
Other types of data not considered ePHI include:
- Employee records (even if they contain health-related information such as employees’ vaccination status). “Most of the information contained in an employer’s personnel files and records is not PHI,” explains labor and employment attorney Mark Neuberger of Foley & Lardner LLP in an interview published by the Society for Human Resource Management (SHRM). “The regulations state ‘Protected health information excludes individually identifiable health information…in employment records held by a covered entity in its role as an employer.’ Thus, even the information held in employment records by healthcare institutions is generally not governed by HIPAA.”
- Education records often contain health information such as students’ disabilities, vaccination history, medications, and allergies, but these records are not considered ePHI. As Compliancy Group explains, “The HIPAA Privacy Rule expressly excludes ‘education record’ and ‘treatment records’ of eligible students under FERPA [Family Educational Rights and Privacy Act], from the HIPAA Privacy Rule’s definition of protected health information (PHI). Education and treatment records of eligible students under FERPA are also excluded from the HIPAA Security Rule’s coverage of electronic protected health information (ePHI).”
- Health data that’s not shared with a covered entity or business associate. HIPAA only applies to PHI and ePHI that is shared with an entity subject to HIPAA regulations. “Health information is increasingly being collected by a wide range of apps and consumer devices. In many cases, the types of data collected by these apps and devices are the same as those collected and used by healthcare organizations,” HIPAA Journal explains. “While healthcare organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of health information and uses and disclosures of that information are restricted, the same rules do not cover the data if the information is collected by other entities.”
- Health data not linked to personally identifiable information (PII). According to HHS.gov, “Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.” Blood sugar levels, blood pressure readings, or heart rate readings are not considered PHI or ePHI when they’re not linked to any information that could identify the patient.
The Evolution of ePHI
While industries like finance, manufacturing, and travel embraced digital transformation in the late 20th century, the healthcare industry has lagged behind. The need for stringent security to protect sensitive patient data, the reliance on legacy systems, and regulatory concerns, along with a lack of cybersecurity expertise, led many organizations to delay complete transformation.
Many healthcare organizations were already taking steps, albeit slowly, to switch to Electronic Medical Records (EMRs) or Electronic Health Records (EHRs). However, the tide really began to turn with the enactment of the 2009 American Recovery and Reinvestment Act (ARRA) and Health Information Technology for Economic and Clinical Health (HITECH) Act.
The HITECH Act offered incentives to healthcare organizations that achieved Meaningful Use (MU) of Health Information Technology (HIT) by 2014 , resulting in a rush to adopt qualifying EHR (Electronic Health Records) systems. This incentive program, called the Electronic Health Record Incentive Program or EHR Incentive Program, was administered by the Centers for Medicare and Medicaid Services (CMS) and became known as the Meaningful Use program. (The program was overhauled and renamed in 2018 as the Medicare and Medicaid Promoting Interoperability Programs.)
Beginning January 1, 2015, healthcare organizations that did not adopt EHRs and achieve Meaningful Use were subject to a 1% decrease in Medicare reimbursements.
Naturally, this spurred significant growth in EHR adoption. Protected Health Information once stored in voluminous paper-based patient records was converted to ePHI. One 2017 study found that 3.2% of hospitals eligible for incentives had adopted EHRs in the three years prior to the enactment of the HITECH Act and the Meaningful Use program, increasing to 14.2% in the five years after the law was passed. In comparison, ineligible hospitals’ EHR adoption grew at a much smaller rate, from 0.1% in the year prior to the law’s enactment to 3.3% afterward.
“In data from 2019 and 2021, 86% of non-Federal general acute care hospitals had adopted a 2015 Edition certified electronic health record (EHR),” HealthIT.gov reports. “In contrast, only 40% of rehabilitation hospitals and 23% of specialty hospitals had adopted a 2015 Edition certified EHR.”
Other data from HealthIT.gov shows that 72% of office-based physicians and 96% of non-federal acute care hospitals had adopted a certified EHR by 2019. In comparison, just 59% of hospitals and 48% of physicians had adopted a basic EHR with clinician notes in 2013. Large hospitals were more likely to adopt certified EHRs. By 2019, 99% of large hospitals adopted a certified EHR by 2019 compared to 93% of small rural and critical access hospitals, according to EHR in Practice.
Between 2008 and 2017, office-based physician adoption of any EHRs more than doubled, from 42% to 86%, and 80% of office-based physicians had adopted a certified EHR.
Focus on Interoperability
The focus then shifted to interoperability, or the ability of disparate software systems to exchange information. Interoperability is necessary to achieve one of the primary goals of EHRs: to create an electronic record of a patient’s complete health history, rather than a single record specific to one provider (these provider-specific electronic records are called EMRs).
When patient data is shareable between systems, providers can readily access information from other healthcare providers for a more complete picture of the patient’s health history and make data-informed clinical decisions. Interoperability isn’t as simple to implement in practice, however. HIPAA’s rules mean that stringent safeguards must be implemented to protect ePHI while in transit and also prevent unauthorized access.
Further complicating matters is the lack of standardization among EHR systems and other technology solutions used by healthcare organizations, which is one of the biggest barriers to interoperability. “For two EHR systems to be truly interoperable, they must be able to exchange and then use the data,” explains Miriam Reisman in a 2017 article published in Pharmacy & Therapeutics. “For this to occur, the message transmitted must contain standardized coded data so that the receiving system can interpret it.”
While full standardization is still on the horizon, efforts have been made to create a set of industry standards to support interoperability. Health Level 7 (HL7) can be traced back to the late 1980s and has since gone through several iterations, ultimately evolving into FHIR in version 4. According to HealthTech, 95% of U.S. healthcare organizations were using HL7 V2 (Version 2) in 2021. It’s used by healthcare organizations in 35 countries around the world, and efforts to develop a fully functional standard for the modern era continue.
The Impact of COVID-19
In 2020, the emergence of the COVID-19 pandemic led to a sudden and widespread shift to telehealth services. According to McKinsey, telehealth use increased from under 1% of visits to up to 80% of visits in areas where COVID-19 was prevalent during the first peak of the pandemic in March to April 2020. As of July 2021, telehealth utilization stabilized at 38 times higher than pre-pandemic utilization.
Utilization of telehealth also increased substantially among Medicare recipients. According to a December 2021 report from the U.S. Department of Health and Human Services, Medicare telehealth utilization increased by 63x from 2019 to 2020.
Providing telehealth services meant sharing ePHI over third-party services such as videoconferencing platforms, phone networks, and email services. Some of these tools offered HIPAA-compliant solutions, but others did not.
For healthcare organizations that already offered telehealth services and had HIPAA-compliant systems in place, the transition was smooth. But that wasn’t the case for every healthcare organization, and the need for accessible telehealth services was paramount.
In response, and to ensure access to healthcare services during a public health emergency, the Department of Health and Human Services (HHS) lessened some restrictions and announced that it would “not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered healthcare providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
While the world is recovering from the COVID-19 pandemic, increased telehealth utilization remains. The healthcare delivery challenges faced during the COVID-19 pandemic — including the shift to telehealth to ensure access to care and maintain patient safety and the HIPAA compliance obstacles it introduced — heightened the need for secure shareability for ePHI.
HIPAA’s ePHI Requirements
HIPAA treats ePHI and PHI as the same thing in terms of security requirements — organizations must take appropriate steps to secure this sensitive patient information in any form. However, ePHI is more easily shared in the digital world, requiring security measures designed for the digital world, such as secure backups and encryption.
While shareability is necessary to support quality patient care, ePHI is a frequent target of data breaches and theft. Organizations need more ePHI safeguards to satisfy HIPAA standards while also ensuring that ePHI is securely shareable.
If you process PHI or ePHI in any way, you’re considered a covered entity that must comply with HIPAA. This typically includes:
- Mental health providers
- Nursing homes
- Insurance companies
You also must comply with HIPAA if you’re a business associate of a covered entity. For example, if you’re an accountant, lawyer, or IT provider for a covered entity that has access to patient data, you need to ensure HIPAA compliance.
HIPAA rules can be complex, but generally speaking, ePHI is protected under the HIPAA Security Rule. Let’s take a look at HIPAA’s rules and how they affect your organization’s approach to ePHI.
ePHI Protections Under the HIPAA Security Rule
ePHI protections generally fall under the HIPAA Security Rule, which requires organizations to lock down ePHI with three types of safeguards: technical, administrative, and physical.
Technical ePHI Safeguards
HIPAA prescribes technical safeguards that organizations should follow to protect ePHI. These requirements typically include best practices such as:
- Unique accounts for every employee
- Multi-factor authentication
- Strong passwords
The HIPAA Security Rule also requires that you disclose patient information on a “minimum necessary access” basis. For example, it isn’t necessary to disclose a patient’s complete medical history just to process a credit card payment. This ensures that you use the minimum amount of patient data required to perform your job, and you don’t have access to ePHI that you don’t need to complete your tasks.
Administrative ePHI Safeguards
On an administrative level, HIPAA requires organizations to ensure all employees follow HIPAA requirements. This includes:
- Instating a Security Officer
- Training employees on security and documenting your training
- Internally auditing your compliance
What Does the HIPAA Privacy Rule Mean for ePHI?
The Security Rule prescribes how organizations should protect ePHI. But the Privacy Rule explicitly says providers can’t expose this data — they can only use patient information for the purpose of giving medical treatments or processing payments.
. The Privacy Rule requires organizations to:
- Document privacy policies
- Tell patients how you’ll use their information
- Provide all ePHI to patients within 30 days of their request for it
The Privacy Rule is tricky because this requires providers to give patients access to their data if they ask for it — but also prevent that data from unauthorized access. It’s a balancing act that requires both security and selective disclosure.
Healthcare organizations and providers increasingly rely on information sharing to make data-informed care decisions and improve patient outcomes. Providers must be able to share data securely for legitimate uses with authorized entities, such as other providers or health insurers.
It’s also imperative that providers can readily access data securely when they need it, such as at the point of care. While this is true in all healthcare settings, it’s especially crucial in urgent or emergency care when providers often have minutes or even seconds to make decisions. For example, without having access to a patient’s medical history, providers may be unaware of the patient’s underlying conditions or the medications they’re taking. The provider may then prescribe a treatment that’s contraindicated due to the patient’s underlying conditions or other medications. In cases like this, providers’ inability to access ePHI at the point of care increases the risk of negative interactions and adverse events.
HIPAA Breach Notification Rule
While breach notifications can hurt an organization’s reputation, this rule is designed to foster transparency between healthcare providers and the public. Even if you experienced a data breach, the HIPAA Breach Notification Rule requires you to disclose it.
This rule tells organizations who they’re supposed to inform in the event of a breach, as well as a timeline for that notification. In addition to alerting the Secretary of Breaches, your organization may need to notify patients as well as the media that ePHI may have been compromised.
HIPAA Enforcement Rule
Since HIPAA fines range from $100 to $50,000 per incident, it’s crucial to understand how the HIPAA Enforcement Rule can affect your business.
The HIPAA Enforcement Rule created procedures for investigators as well as HIPAA penalties. The HHS Office of Civil Rights (OCR) investigates all HIPAA violations. From 2003 to 2022, the HHS received well over 300,000 HIPAA complaints and investigated over 40,000 of them.
The primary purpose of the Enforcement Rule is to ensure organizations take HIPAA seriously and that breaches don’t happen again. It’s up to the OCR to issue penalties and fines at their discretion based on the severity of the breach.
Most violations come from hospitals, private practices, and pharmacies that improperly disclose PHI or ePHI, have zero security safeguards, or didn’t give patients ePHI upon request.
How To Ensure ePHI Compliance
With the increasing digitization of healthcare, it’s never been more challenging for providers to secure ePHI. “In 2018, healthcare data breaches of 500 or more records were being reported at a rate of around 1 per day,” according to HIPAA Journal. “Fast forward 4 years and the rate has doubled. In 2021, an average of 1.95 healthcare data breaches of 500 or more records were reported each day.”
Complying with HIPAA guidelines benefits your organization (and your patients) in several ways. In addition to avoiding fines and penalties, compliance helps protect your organization’s reputation. It also helps your organization protect patient data and avoid threats to patient safety . Every organization is different, but these measures can help you comply with HIPAA’s ePHI rules.
Follow the NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) provides a comprehensive framework for bolstering your IT security, known as the NIST Cybersecurity Framework.
Keep in mind that NIST doesn’t guarantee HIPAA compliance. However, following the NIST Cybersecurity Framework can help you implement the appropriate security measures to secure ePHI and achieve compliance with not only HIPAA but other regulations as well. NIST maps all elements of the HIPAA Security Rule to subcategories and controls in the Cybersecurity Framework in a 2022 draft revision. Note that this NIST guidance is in draft, and the comment period has been extended to October 5, 2022 (originally September 21, 2022).
Conduct a Risk Assessment
How much risk does your organization have? Conduct an ePHI risk assessment to look at your organization’s size and complexity as well as the hardware and software you use.
A solid risk assessment will find vulnerabilities in how you process ePHI across the healthcare continuum. From there, you can tackle your vulnerabilities to build an infrastructure that’s as impenetrable as possible.
If you’re transferring patient data from one system to another, malicious parties may intercept and access that data while it’s en route. That’s why your organization needs to encrypt data at-rest and in-transit.
Encryption scrambles data during storage and transmission, so even if a malicious agent intercepts it, they can’t understand what the data says. Encryption is ideal for communicating with patients or accessing patient data in an online portal.
Conduct Security Awareness Training
Security awareness training is a best practice for any business, but it’s especially valuable for healthcare. Consider training your employees on:
- How to spot phishing emails and malicious links
- How to escalate issues to IT if they see something suspicious
- How social engineering hacks work
- Why they should never use public Wi-Fi to handle ePHI
- Your corporate policies and HIPAA policies for IT security
Be sure to conduct security training when you hire new team members and on an annual basis for all employees. You may need to hold training more frequently if you change something in your system, introduce new policies, or a new threat emerges.
Hold Third-party Vendors Accountable
Healthcare organizations rely heavily on third-party vendors. Every time you share access with another party, you open yourself up to additional risks. In fact, according to HIPAA Journal, 55% of healthcare organizations experienced a third-party data breach within the past year. And as of August 2022, several significant attacks have targeted vendors used by healthcare organizations. One such attack affected 600 of the vendor’s HIPAA-covered entity clients.
Business associate agreements (BAA) are contracts designed to ensure that the third-party vendor will appropriately safeguard ePHI. If the vendor uses or discloses ePHI in a manner not authorized in the BAA or in violation of HIPAA, the vendor is liable and subject to civil (and possibly criminal) penalties.
Make it a habit to check the level of access you grant to business associates. For example, does your payment processing company have access to patients’ ePHI that isn’t necessary for processing payments? Or did you terminate an agreement with a vendor who still has access to your systems? Clean house to ensure that vendors have as little access to ePHI as possible.
You may also want to audit your business associates periodically to ensure that they continue to meet the standards required by you and the HIPAA Security Rule. A growing number of organizations require business associates to complete a HITRUST CSF audit for third-party verification that the vendor meets the necessary standards.
Apply Situational ePHI Awareness
In order to adequately secure ePHI, you have to know how it’s being created, copied, stored, moved, and shared, not just within your organization but between providers, patients, third parties, and applications.
Tausight makes it easy for healthcare organizations to automate their ePHI detection and compliance. Tausight is built specifically for clinical workflows , using machine learning (ML) and natural language processing (NLP) to detect, track, and analyze ePHI activity on any endpoint devices in the care continuum.
Don’t lose sight of ePHI. Tausight’s Situational PHI Awareness Platform automates your ePHI detection and analysis to give your security and compliance teams the tools they need to protect ePHI and ensure compliance in the information-sharing age. Tausight’s unique forensic audit trail is a particularly valuable benefit if or when a healthcare organization experiences a data breach.
Make a Disaster Recovery Plan
How will your organization recover from ransomware or a data breach? A disaster recovery plan gives your organization a playbook when the unthinkable happens. Not only will this increase your resiliency, but it can ensure ePHI stays protected during an emergency.
Create disaster plans for multiple scenarios and revisit them over time so you know that they’re realistic. In fact, it’s best to drill your disaster recovery plans at least twice a year so you know they work.
Update and Patch Software
Outdated software is a goldmine for hackers. If your organization is running old software or devices, it could make your ePHI vulnerable to a breach. Automate updates and patches as soon as they’re available. This will remove known vulnerabilities in your infrastructure as well as improve speed and efficiency, so it’s a win for employees and patients, too.
Plan for Insider Threats
It’s an unfortunate reality, but insider threats are possible in healthcare. Whether it’s accidental or malicious, your employees are potential liabilities, too.
For example, your employees might feel tempted to access the sensitive information of high-profile patients. This happened during the Jussie Smollett case, when healthcare workers accessed Smollett’s medical records without consent. Training and a HIPAA-minded culture can help to prevent these threats, but this is why it’s so critical to do internal audits.
Organizations should also immediately revoke access for employees who leave the organization. This significantly reduces the odds of a disgruntled ex-employee releasing ePHI without consent.
The Expanding Attack Surface Poses ePHI Security Challenges
The push towards nationwide sharing of electronic health information, the rise in remote working, and an increase in telehealth and distributed care are expanding the cybersecurity attack surface for healthcare organizations. Endpoints are now beyond the firewall, creating a new security perimeter.
Traditional solutions aim to secure ePHI by locking it inside the firewall, but these solutions don’t rise to the challenge in today’s healthcare ecosystem. Today’s healthcare organizations need the ability to share information inside and outside the organization while keeping ePHI secure. That’s where Situational ePHI Awareness (SePHIA) comes in.
Situational ePHI Awareness is knowing where and when ePHI is created, received, maintained, processed and transmitted, and having the confidence (and evidence) that it is secured and well managed to minimize risk and exposure for your patients and organization.
Reduce ePHI Overwhelm with Tausight
HIPAA rules are complicated and overwhelming, especially for large healthcare organizations with so many endpoints extended far beyond the traditional brick and mortar care setting.
There are penalties for improper use of ePHI, so everyone in your organization needs to protect patient data. At the same time, ePHI must be accessible by clinicians and others who require access. It must also be shareable among providers and other authorized entities to inform clinical decision-making, improve the quality of patient care, and improve healthcare outcomes.
This is no small task at scale, and that’s where Tausight comes in. Tausight is a situational ePHI awareness platform that provides real-time visibility into structured and unstructured ePHI and activity across all endpoints and servers in your healthcare ecosystem. The result is stronger PHI protection, improved patient safety, improved compliance, and faster recovery from cybersecurity incidents should they occur.
We reduce ePHI risk across the healthcare continuum to help providers stay compliant. Learn more about Tausight’s Situational ePHI Awareness today.