What is ePHI?
ePHI, which stands for electronic Protected Health Information, refers to any individually identifiable health information that is created, stored, transmitted, or maintained electronically by a covered entity or its business associates. ePHI is protected under the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. These rules mandate that covered entities and business associates implement appropriate safeguards to protect the privacy and security of ePHI.
In terms of an individual’s past, present, or future physical or mental health condition, the provision of healthcare to the individual, or the past, present, or future payment for healthcare services, ePHI encompasses a wide range of information fields. The data must have one or more of the following 18 identifiers in order to be considered identifiable electronically protected health information (ePHI):
- The world’s geographical regions devoid of states (e.g., street address, city, county, or ZIP code)
- Everything about a date – is directly connected to a specific person (excluding the calendar year). (e.g., birth date, admission date, discharge date, date of death)
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, such as fingerprints or voiceprints
- Full-face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
Follow this link to know how unsecured third-party vendors can cause data breaches of ePHI.
If any of these identifiers are present in the health information and the information is stored or transmitted electronically, it is considered ePHI and must be protected in accordance with HIPAA regulations. De-identified health information, which has been stripped of all 18 identifiers, is not considered ePHI and is not subject to the same HIPAA requirements.