What is the Difference between PHI and ePHI?
The difference between PHI and ePHI is that the acronym PHI relates to Protected Health Information in all formats, while the acronym ePHI relates to Protected Health Information in electronic format. In most cases, ePHI is a subset of PHI – but there can be exceptions.
The acronyms PHI and ePHI are used by HIPAA covered entities and business associates to describe individually identifiable health information that relates to an individual’s health condition, treatment for the condition, or payment for the treatment.
Individually identifiable health information created, received, maintained, or transmitted in any format is Protected Health Information (PHI) under HIPAA. Individually identifiable health information created, received, maintained in electronic format is electronic Protected Health Information (ePHI) under HIPAA.
In both cases, any information that could identify the subject of the individually identifiable health information (i.e., phone number, email address, Social Security Number, etc.) assumes the same protected status as the individually identifiable health information when it is maintained in the same designated record set as individually identifiable health information.
Why is There a Difference between PHI and ePHI
The reason there is a difference between PHI and ePHI is that, at the time HIPAA was passed by Congress, the priority was to reform the health insurance industry. One of the measures introduced to mitigate the cost of the reforms was the standardization of electronic healthcare transactions to make processing authorizations, claims, and remittances (etc.) more efficient.
Due to the increasing volume of electronic healthcare transactions, Congress instructed the Secretary for Health and Human Service (HHS) to adopt security standards to protect the integrity and confidentiality (and subsequently the availability) of individually identifiable health information maintained or transmitted by a HIPAA covered entity.
At the same time, Congress instructed HHS to make recommendations for the privacy of individually identifiable health information in any format. The recommendations were in lieu of several proposed acts of privacy legislation being considered by Congress at the time, and were to be adopted into standards if Congress did not pass privacy legislation within three years.
Proposed standards to protect the integrity and confidentiality of electronic individually identifiable health information were published in 1998. These later evolved into the HIPAA Security Rule). When the three year deadline passed in 1999 without any progress on privacy legislation, HHS published its proposed privacy standards – now known as the HIPAA Privacy Rule. The proposed privacy standards were the first time the term “Protected Health Information” was used in HIPAA terminology.
To distinguish the standards for the privacy of Protected Health Information from the standards for the integrity and confidentiality of electronic individually identifiable health information – and to eliminate any confusion over two terms being used for the same information when it was essentially the same information maintained or transmitted by a HIPAA covered entity – the term electronic Protected Health Information was adopted.
When Might Exceptions Exist to the Subset Explanation?
In most explanations of the difference between PHI and ePHI, PHI and ePHI are described as identical information, with the difference between the two acronyms being that ePHI is stored electronically. For this reason, ePHI is frequently explained as being a subset of PHI.
However, there can be circumstances in which designated record sets maintained in different media contain different information. There are also circumstances in which identifying non-health information is maintained outside of a designated record set in one media – in which case it does not assume the same protections as individually identifiable health information.
An example of an exception is when information about an emotional support animal is removed from a patient’s designated record set maintained on paper (PHI) and put into a separate paper file to facilitate transport arrangements. However, the information about the emotional support animal remains in the patient’s designated record set maintained electronically (ePHI).
Because the information about the emotional support animal does not relate to the patient’s health, treatment, or payment information, it does not have protected status while in the separate paper file. But because the information could be used to identify the subject of individually identifiable health information maintained electronically, it still has protected status in its electronic state.
In this case, ePHI maintained about the patient contains more information about the patient than PHI maintained about the patient. Therefore, while most explanations of the difference between PHI and ePHI are mostly correct, it is important to be aware that there are exceptions to the subset explanation. HIPAA covered entities who require more information about when exceptions exist are advised to speak with an independent HIPAA compliance professional.
