Protected health information is individually identifiable health information that is created, received, maintained, or transmitted by a HIPAA Covered Entity or Business Associate in any form or medium, while electronic protected health information is the subset of protected health information that is created, received, maintained, or transmitted in electronic form and is subject to the administrative, physical, and technical safeguard requirements of the HIPAA Security Rule.
PHI includes information that relates to an individual’s past, present, or future physical or mental health condition, the provision of health care, or payment for health care, when the information identifies the individual or there is a reasonable basis to identify the individual. PHI can exist in paper records, verbal communications, images, and electronic systems. PHI does not include certain employment records held by an employer in its role as employer, and it does not include education records covered by the Family Educational Rights and Privacy Act.
ePHI is PHI in electronic form, including data stored in electronic health record systems, billing systems, email systems, file shares, cloud storage, mobile devices, backups, and other electronic media. ePHI includes electronic transmissions such as email, messaging, electronic data interchange, application interfaces, and remote access sessions when the transmitted content contains PHI.
The HIPAA Privacy Rule governs permitted uses and disclosures of PHI and establishes individual rights, including rights to access and amend records and to receive an accounting of disclosures in certain cases. The HIPAA Breach Notification Rule applies to unsecured PHI, including unsecured ePHI, and sets notification obligations for covered entities and business associates when a reportable breach occurs.
The HIPAA Security Rule applies only to ePHI and requires covered entities and business associates to implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI. These safeguards include workforce access management, risk analysis and risk management, facility and workstation controls, device and media controls, access controls, audit controls, integrity controls, and transmission security.
A single data set can move between PHI and ePHI depending on the medium. A printed clinical summary is PHI, and the same summary stored in a patient portal database is ePHI. When the same information exists in multiple media, the organization must apply HIPAA Privacy Rule requirements to all forms and apply HIPAA Security Rule safeguards to the electronic instances.