Trying to understand the nuances of the Health Insurance Portability and Accountability Act (HIPAA) can be confusing. With so many different terms and subtle differences between them, it's difficult for many doctors and covered entities to remain compliant. That's why we're going to reveal a quick reference guide to HIPAA's commonly used terms today.
Protected Health Information
One of the terms that's frequently used in the context of HIPAA and covered entities is Protected Health Information (PHI). Covered entities must familiarize themselves with PHI, as HIPAA Rule's govern its use, storage and transmission. According to the Department of Health and Human Services (HHS), PHI is any individually identifiable health information that is either transmitted by electronic media, maintained by electronic media, or transmitted or maintained by any other form or medium (e.g. paper and oral communication).
Electronic Protected Health Information
Electronic Protected Health Information (EPHI) differs from its PHI counterpart in the sense that it's strictly digital and not paper or oral format. This may include patient files stores on a computer, video files, photos, etc. If the health information contains individually identifiable elements and it's being stored in digital format, then it's classified as EPHI.
The HHS views anyone who has access to a PHI – both physical and digital – as a business associate. This includes third-party organizations that provide billing support, IT support, payment, security, and more. Covered entities should identify any and all business associates with whom they do business.
Business Associates Agreement
This document outlines the type of information business associates have access to, as well as how the information will be used. A business associates agreement must also include measures taken by the business associate to safeguard the covered entity's data from unauthorized use or access.
Arguably, the single most important element of HIPAA, the Privacy Rule addresses the storage, access, and transmission of personally identifiable information, as well the rights of patients and their privacy.
Another major HIPAA “Rule,” the Security Rule establishes security standards that are designed to prevent unauthorized access and use of EPHI. It's important to note that the HIPAA Security Rule only affects Electronic Protected Health Information. It does not affect paper PHI. The Security Rule includes physical, technical and administrative safeguards that covered entities must implement.