What is the HIPAA Secuirty Rule?

The HIPAA Security Rule establishes national standards to protect an individual’s electronic personal health information (ePHI) that is created, received, transmitted or maintained electronically.  The Security Rule basically states that any company that deals with PHI must make sure that all required physical, network and process security measures are strictly followed and in place.

The three parts of the HIPAA Secuirty Rule include:

  1. Administrative Safeguards
  2. Technical Safeguards
  3. Physical Safeguards

We have compiled a HIPAA Compliance Guide to help breakdown how we can ensure that we meet and exceed all HIPAA law and requirements for technical and physical safeguards.  The document also covers our efforts to setforth to meet administrative safeguards while also providing recommendations to ensure administrative safeguards are met by our users.

What is Protected Health Information (PHI)?

PHI is any information in a medical record that can be used to identify an individual.  This information was created, used, or disclosed in the course of providing a health care service.  ePHI is Proctected Health Information in electronic format.  In laymans terms, PHI is personally identifiable information in medical record and can include conversations between doctors and staff about patient treatment.  PHI also includes any patient billing and any patient identifiable information.

eHealth and record management applications that collect, store or share PHI must follow HIPAA Compliance guidelines in order to be fully compliant with the law.

Not all information is considered PHI.  In order for information to be considered PHI and regulated by HIPAA it needs to be both of these:

  1. Personally identifiable to the patient
  2. Used or disclosed to a covered entity during the course of care

How do I know what is and what is not PHI?

Some examples of PHI include billing info from your doctor, email to your doctors office about medication or prescriptions you need, appointment scheduling note with your doctors office, An MRI scan, Blood test results, phone records.  Some examples of data that is not considered PHI include steps recorded by pedometers, number of calories burned, heart readings with personally identifiable user info.