ATG HIPAA Security Rule Alerts
Alert #4
Electronic Protected Healthcare Information Is Protected Under Security Rule
The rule applies to electronic protected health information (EPHI), which is individually identifiable health information (IIHI) in electronic form. IIHI relates to:
Electronic Protected Healthcare Information Is Protected Under Security Rule
- An individual's past, present, or future physical or mental health or condition,
- An individual's provision of health care, or
- Past, present, or future payment for provision of health care to an individual.
HIPAA's Privacy requirements apply to all protected health information, or ÒPHIÓ as it sometimes is called. HIPAA's Security requirements apply to electronic PHI that identifies an individual and describes his or her medical condition. This includes clinical information in the patient's medical records such as the patient's medical history, results of physical examinations, laboratory and other diagnostic test results. It also includes payment information such as billing records and claim forms. Even basic demographic information such as the patient's date of birth and sex is included, as is the patient's name, address, and telephone number. In short, if information describes a patient or could be used to identify the patient, it is protected under HIPAA! The HIPAA privacy requirements apply to information in any form. They apply to written records, information stored electronically on computer systems, and information transmitted electronically to insurers or other providers.
In general, patient health information that has been converted to, stored in, or transmitted by electronic media is deemed to be ÒEPHIÓ and as such is to be controlled and protected under the HIPAA Privacy and Security Rules.
"Electronic media" is defined as:
- Any electronic storage media including memory in computers (hard drives)
- Any removable or transportable digital memory medium (magnetic tapes or disk, optical disk, or memory card)
- Transmission media used to exchange information electronically (Internet, leased lines, dial-up, intranets, and private networks)
THE LAW
Office of the Secretary
45 CFR Parts 160, 162, and 164
Health Insurance Reform: Security Standards; Final Rule 4717
Subpart C-Security Standards for the Protection of Electronic Protected Health Information
164.306 Security standards: General rules.
(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
(4) Ensure compliance with this subpart by its workforce.
(b) Flexibility of approach.
(1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
(2) In deciding which security measures to use, a covered entity must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity.
(ii) The covered entity's technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronic protected health information.
Back to ATG HIPAA Security Alerts
Office of the Secretary
45 CFR Parts 160, 162, and 164
Health Insurance Reform: Security Standards; Final Rule 4717
Subpart C-Security Standards for the Protection of Electronic Protected Health Information
164.306 Security standards: General rules.
(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
(4) Ensure compliance with this subpart by its workforce.
(b) Flexibility of approach.
(1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
(2) In deciding which security measures to use, a covered entity must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity.
(ii) The covered entity's technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronic protected health information.