Word of the Day: electronic protected health information (ePHI)

Word of the Day Daily updates on the latest technology terms | February 12, 2019 electronic protected health information Electronic protected health information (ePHI) is protected health information (PHI) that is produced, saved, transferred or received in an electronic form. In the United States, ePHI management is covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. In HIPAA documentation, any organization or corporation that directly handles ePHI is referred to as a covered entity. All covered entities, including hospitals, doctors' offices and health insurance providers must abide by HIPAA Security Rule guidelines when handling ePHI. This includes ePHI at rest as well as ePHI in transit.   According to the HIPAA Security Rule, covered entities must ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit. This includes identifying and protecting against reasonably anticipated threats to the security or integrity of the information.   Because the health care marketplace is so diverse, the Security Rule for ePHI is designed to be flexible and allow covered entities to implement policies, procedures and technologies that are appropriate to the entity?s size, capabilities and risk appetite. To help covered entities plan appropriately, the HIPAA Security Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity and availability of ePHI.   Administrative Safeguards Identify and analyze potential risks to ePHI and implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level. Designate a security official to be responsible for developing and implementing its security policies and procedures. Implement policies and procedures for role-based access to ePHI. Supervise workforce members who work with ePHI. Perform periodic assessments to determine how well security policies and procedures meet the requirements of the HIPAA Security Rule. Physical Safeguards Limit physical access to facilities while still ensuring that authorized access is allowed. Implement policies and procedures that specify proper use, transfer, removal and disposal of electronic media. Technical Safeguards Implement technical policies and procedures that allow only authorized persons to access electronic protected health information. Implement hardware, software and/or procedural mechanisms to log and analyze activity in information systems that contain or use ePHI. Implement policies and procedures to ensure that ePHI is not improperly altered or destroyed. Implement technical security measures, such as encryption, that will guard against unauthorized access to ePHI as it is being transmitted over an electronic network. Quote of the Day "When a risk to ePHI security is uncovered, your organization should have someone in place who is qualified to determine the context, scope and magnitude of the vulnerabilities, and whether and how the organization should respond." - Tatiana Melnik Trending Terms personal health information HIPAA role-based access control (RBAC) electronic health record data at rest PHI breach Learning Center HIPAA compliance not guaranteed with ePHI security Healthcare organizations might think ePHI security means they comply with HIPAA, but the privacy law also has other aspects to consider. HIPAA business associates can expect more penalties ahead Last year saw a major crackdown on HIPAA compliance. Experts urge HIPAA business associates, such as managed service providers, to take stock. Requirements for HIPAA compliance: The key channel partner challenges Requirements for HIPAA compliance: Channel partners face a number of challenges when working with clients in the highly regulated healthcare market. Four areas to consider when shoring up your ePHI security An effective ePHI security program should include an incident response plan that is specific to the types of threats an organization might face. New risk to cybersecurity in healthcare: Hacker as a service IT professionals are encountering a new twist in cybersecurity in healthcare: Hackers selling their knowledge and services to the next generation. Quiz Yourself Risk analysis is a _________ component of the HIPAA Security Rule because it allows an entity to target its main security loopholes and deficiencies. A. incisive B. decisive Answer Stay in Touch For feedback about any of our definitions or to suggest a new definition, please contact me at: mrouse@techtarget.com Visit the Word of the Day Archives and catch up on what you've missed! FOLLOW US About This E-Newsletter This e-newsletter is published by the TechTarget network. To unsubscribe from Whatis.com, click here. Please note, this will not affect any other subscriptions you have signed up for. TechTarget, Whatis, 275 Grove Street, Newton, MA 02466. Contact: webmaster@techtarget.com Copyright 2018 TechTarget. All rights reserved.