What is PHI and ePHI?

PHI stands for Protected Health Information. It includes any information that identifies an individual, i.e. includes either the individual's name or any other information that could enable someone to determine their identity and relates to at least one of the following:

• The past, present or future payments for health care services;
• The provision of health care to the individual;
• The individual's past, present or future physical or mental health.

ePHI stands for Electronic Protected Health Information. ePHI is all Protected Health Information which is stored, accessed, transmitted or received electronically.

Where can ePHI be found?
There are many places on a network where ePHI can be found. A few locations such as servers, workstations, laptops, iPads and email are at the forefront when thinking about ePHI, but there are many other possible locations which are also important to take into consideration.

In addition to locations mentioned above, ePHI can also be found on smartphones, phone systems, in the form of recorded calls or voicemails, faxes, removable media such as USB keys, CD and DVDs, backup tapes, external hard drives, etc., and even multifunction devices.

Why is it important to know where my ePHI is?
Knowing where ePHI exists on your network is a critical step in avoiding a breach of information.

What can I do to locate ePHI on my network?

• Collect an Inventory of Your Computing Infrastructure
  An inventory of hardware and software can provide a clear picture of the potential locations for ePHI.
• Implement a Data Loss Prevention Product
  Data Loss Prevention (DLP) products can scan servers, workstations and laptops/tablets for ePHI. Most of these products have policies that perform certain actions when ePHI is found on a device. The most common actions for these products are to report, destroy or encrypt.
• Perform a Security Risk Assessment
  A security risk assessment can help discover any gaps that could potentially create a breach. Security risk assessments should be performed any time when major system changes occur in your infrastructure, as well as on a recurring basis with the schedule being determined by the outcome of previous risk assessments.
• Implement Policies and Procedures
  Create and implement written policies that determine where ePHI is allowed to exist. Communicate these policies to your staff as part of your regulatory compliance training. Use security risk assessments, data loss prevention products, system inventories or other automated systems to audit that these policies are being followed.