HOSPITAL Information: What is ePHI (electronic protected health information)?

September, 2012 ___________________________________________________________________________

Hospitals and other healthcare related entities that are subject to HIPAA regulations need to adhere to additional regulations because of technology, says Dennis Stewart of Streamline Savings in Florida. According to the US Department of Health and Human Services (HHS), electronic protected health information (ePHI) is any protected health information (PHI) that is created, stored, transmitted, or received electronically. All protected health information is subject to federal Health Insurance Portability and Accountability Act (HIPAA) regulation, which refers to any information that identifies an individual (usually a patient) and relates to at least one of the following:

The individual's past, present, or future physical or mental health The provision of health care to the individual Past, present, or future payment for health care

Information that can identify an individual includes either the individual's name or any other information that could enable someone to determine the individual's identity. Data are "individually identifiable" if they include any of the 18 types of identifiers for an individual or for the individual's employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual. These identifiers are:

Name Address All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89) Telephone numbers FAX number Email address Social Security number Medical record number Health plan beneficiary number Account number Certificate/license number Any vehicle or other device serial number Device identifiers or serial numbers Web URL IP address Finger or voice prints Photographic images Any other characteristic that could uniquely identify the individual

In research, it is often sufficient to make the information more general (instead of being removed altogether) for deidentification (e.g., by replacing the birth date with an age range).

HOSPITAL Information: What is ePHI (electronic protected health information)?

September, 2012 ___________________________________________________________________________

Electronic protected health information (ePHI) includes any medium used to store, transmit, or receive PHI electronically. The following and any future technologies used for accessing, transmitting, or receiving PHI electronically are covered by the HIPAA Security Rule:

Media containing data at rest (storage)

o o o o o

Personal computers with their internal hard drives used at work, home, or traveling External portable hard drives, including iPods and similar devices Magnetic tape Removable storage devices, such as USB memory sticks, CDs, DVDs, and floppy disks PDAs and smartphones

Data in transit, via wireless, Ethernet, modem, DSL, or cable network connections

o o

Email File transfer

ENFORCEMENT PENALTIES: Hospitals and other health care facilities need to consider recent enforcement penalties for HIPAA violations. HHS is very serious about failing to take necessary steps to comply with certain requirements of the HIPAA Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of electronic protected health information (ePHI) maintained on portable devices, and implementing security measures sufficient to ensure the confidentiality of ePHI. Reports Dennis Stewart of Streamline Savings in Florida. ALL health care providers and other HIPAA-covered entities need to adhere to the ePHI standards in light of recent settlements as the latest signal of the scrutiny that HHS has in connection with health care providers and other covered entities. HHS is looking at all reported failures to adequately implement and administer appropriate HIPAA compliance practices, including ePHI, adds Stewart. (What is EPHI?-See below) Recently a group in Massachusetts paid HHS $1.5 million to settle potential HIPAA violations which included ePHI. The Resolution Agreement settled charges that resulted from an OCR investigation commenced in response to a HIPAA breach report confirming the theft of an unencrypted personal laptop containing the ePHI of the groups patients and research

HOSPITAL Information: What is ePHI (electronic protected health information)?

September, 2012 ___________________________________________________________________________

subjects. The laptop information included patient prescriptions and clinical information. Included in the resolution was an agreement to take a series of corrective actions to confirm compliance of ePHI under the Security Rule. In June, 2012,The Alaska Department of Health and Social Services (DHSS) agreed to pay the HHS $1,700,000 to settle similar HIPAA violations. Alaska DHSS has also agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries. The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHSS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee. OCR found that DHSS did not have adequate policies and procedures in place to safeguard ePHI, and DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.

Blue Cross Blue Shield of Tennessee (BCBST) recently paid $1,500,000 to resolve HIPAA violations charges. The case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules, said Leon Rodriguez, director of OCR. We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity. What exactly is required? The bottom line is that HHS is going to require hospitals and all other covered entities to assess the risk of the confidentiality of ePHI maintained on portable devices, and implement security measures sufficient to ensure the confidentiality of all ePHI that is created, maintained, and transmitted using these portable devices. This will require adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and responses. Larger organizations need to pay particular attention because of the number of possible or potential violators. This will require annual

HOSPITAL Information: What is ePHI (electronic protected health information)?

September, 2012 ___________________________________________________________________________

reviewing, revising and maintaining policies and procedures to ensure compliance with the Security Rule, and possibly retaining an independent monitor to conduct assessments.

For a Summary of the HIPAA Privacy Rule , visit:

http://www.scribd.com/doc/104393757/Hospital-News-Summary-of-the-HIPAA-Privacy-Rule

HHS is serious about HIPAA / ePHI violations: http://www.scribd.com/doc/108466453/Hospital-CEO-News-HHS-is-Serious-About-ElectronicProtected-Health-Information-ePHI-HIPAA-VIOLATIONS