Cyber criminals can do so much with a snippet of patient information. In an age where patient healthcare data is digitized more and more, cyber criminals develop increasingly sophisticated techniques to intercept or compromise that sensitive information. The challenge for healthcare organizations is that this data must be protected, but it must be securely sharable at the same time to ensure that providers have access to important data to inform patient care decisions.
Protected health information (PHI) is one of the most valuable types of information targeted by cyber criminals, so it’s not surprising that attacks against healthcare organizations are increasing. For example, Fierce Healthcare reports on estimates which value patient medical records at $250 to $1,000 per record on the black market. In contrast, credit card numbers are worth an estimated $5 each, while Social Security numbers are worth an estimated $1 each.
Why is PHI so valuable? Healthcare data has a much longer shelf-life compared to financial information. “While a credit card number is easily canceled, medical records contain a treasure trove of unalterable data points, such as a patient’s medical and behavioral health history and demographics, as well as their health insurance and contact information,” explains Fierce Healthcare.
The high value of ePHI to cyber criminals, coupled with the need to readily share and access information to inform healthcare decision-making, means organizations need to increase their awareness of how they store, manage, and share PHI and detect and mitigate risk. It’s not only the right thing to do for your patients, but it’s also the law.
Let’s discuss what ePHI is, as well as real-world examples of ePHI to ensure your organization protects those who matter most: your patients.
Definition of ePHI
Electronic protected health information (ePHI) is any type of identifiable data that can tie back to a specific patient. You’re likely already familiar with PHI, which is the non-digitized form of PHI that providers have historically kept in file cabinets, forms, and folders. ePHI is any form of PHI that’s created, saved, transmitted, or received in a digital format.
Since ePHI is incredibly sensitive data, organizations processing this information have to follow HIPAA (Health Insurance Portability and Accountability Act) guidelines to keep it safe. If your organization handles ePHI in any way, you’re considered a covered entity under HIPAA. This commonly includes organizations like:
- Health insurance companies
- Primary care physicians
However, ePHI protections also kick in for any business associates of a covered entity. For example, if a hospital hires a vendor to process patient payments, that vendor has to follow ePHI guidelines, too.
Confidentiality, Integrity, and Availability of ePHI
HIPAA governs ePHI under its Security Rule, which says that all PHI — in any form — needs protection. This means organizations need to ensure:
- Confidentiality: Never disclose ePHI without patient permission.
- Integrity: Organizations must also ensure that unauthorized parties can’t access sensitive patient information.
- Availability: Allow patients to access their ePHI.
The HIPAA Privacy Rule requires that healthcare organizations give patients access to their sensitive healthcare information while also preventing unauthorized access and disclosure of PHI. However, ensuring the availability of ePHI to providers is also particularly important for healthcare organizations. Enabling healthcare providers to access the data they need, when they need it (at the point of care) can improve patient outcomes while reducing the cost of care. At the same time, it must be identified, monitored, and protected to comply with government regulations like HIPAA and corporate standards.
HIPAA Security Rule Requirements for ePHI
Aside from ensuring confidentiality, integrity, and availability, any provider who accesses ePHI also needs to follow HIPAA Security Rule safeguards.
These guidelines help organizations process ePHI in a safe, compliant manner at scale. This often includes:
- Appointing a security officer in your business: If you’re a small organization, HIPAA doesn’t require this to be a full-time role. However, the security officer does need to assess how well your organization follows ePHI security policies under HIPAA on a regular basis.
- Offering role-based access: ePHI should only be available to your employees on a need-to-know basis. Instead of granting every employee blanket access to all systems, grant it as-needed with proper justification.
- Monitoring use of ePHI: How does your organization process ePHI? Are your systems compliant? Self-audit your use of ePHI so you aren’t caught unaware. Effective monitoring means having systems in place to detect ePHI, anticipate areas of risk, and readily respond to threats should they occur.
HIPAA’s technical safeguards spell out the IT guidelines organizations need to follow to protect ePHI, which can include:
- Only granting authorized access to ePHI
- Logging activity in all systems that process ePHI
- Monitoring systems for any anomalies
- Requiring encryption
Examples of ePHI
If data can reveal the unique individual tied to that data, it counts as PHI under HIPAA. And if that data is digitized in any way, it’s ePHI.
But what types of data count as ePHI? According to HIPAA, this includes any information on healthcare treatments, payments, or patient conditions. In practice, this means these data points qualify as ePHI:
- Phone number
- License plate number
- Date of birth
- Medical records
- Financial information
- Employer information
- Patient calendar appointments
- Emailed test results
- Stored scans
- Information about their families
- Date of death
- Exact age
- Medical record numbers
- Health plan numbers
- Account numbers
- IP address
Ensure the Availability of Your ePHI — Securely
The challenge is that providers and patients are creating data all the time, and healthcare organizations are managing more ePHI than ever before. Sensitive patient information is being shared between providers, patients, third parties and applications more frequently, as the healthcare industry increasingly turns to data-driven decision-making to improve healthcare outcomes. And the 21st Century Cures Act is accelerating large-scale information sharing in the interest of improved care. Making your data securely shareable is crucial in today’s information-sharing age, yet this makes HIPAA compliance even more complicated if your organization doesn’t have complete visibility into its ePHI.
See how we reduce ePHI risk across the healthcare continuum — get a free assessment now.