Under HIPAA, any information that can be used to identify a patient is considered Protected Health Information (PHI). PHI in electronic form — such as a digital copy of a medical report — is electronic PHI, or ePHI. Although HIPAA has the same confidentiality requirements for all PHI, the ease with which ePHI can be copied and transmitted requires special safeguards to prevent breaches.
What is PHI? Anything related to health, treatment or billing that could identify a patient is PHI. This includes:
Under the HIPAA Privacy Rule, PHI can generally only be used to furnish medical services and process payments. There are also a few special cases when PHI must be disclosed, such as under a court-ordered warrant. Medical information that has been de-identified — stripped of all identifying information — is no longer subject to the HIPAA Privacy Rule, and can be used for other purposes, such as case studies.
The HIPAA Security Rule governs how PHI protected. Its Technical Safeguards play a central role in protecting HIPAA ePHI through access control. Many of these safeguards are security best practices, including:
Providers needs to protect ePHI anywhere it goes, using client-side encryption. Encryption scrambles data so that it can only be deciphered by an authorized user, using a string of data called the key. This ensures that, if a malicious actor intercepts the data, they will not be able to read it.
By using encryption to protect all ePHI including communications with patients, business associates and other healthcare providers, organizations can greatly reduce the chance of a HIPAA breach.
Although Technical Safeguards are central to securing ePHI, Physical Safeguards (protecting workstations) and Administrative Safeguards (training and auditing) also play a crucial role. Organizations should use a complete HIPAA compliance checklist that protects patient confidentiality everywhere — not just in the cloud.
Healthcare portals are a common way to communicate with patients. Unfortunately, they are complex and inconvenient, and providers have struggled to convince patients to use them. This undermines efforts to meet HITECH compliance meaningful use requirements, and undermines healthcare data security.
HIPAA compliant email from Virtru allows patients and professionals to communicate securely using their own email accounts, improving security and helping organizations meet meaningful use goals.
Virtru provides military-grade encryption with consumer-grade ease-of-use. The application automatically manages encryption keys, allowing users to encrypt email attachments and messages with a single click.
Virtru provides several options for protecting patients' ePHI:
Book a demo today to see how Virtru can provide a HIPAA ePHI solution, safeguarding patient data in the cloud, and watch the video below to see how Virtru safeguards ePHI.