If you work in the medical field, you might have heard of the terms "protected health information" or "electronic protected health information" and wondered what is the difference between them. The answer is subtle, as we'll explain in this post.
Protected health information
Protected health information, or PHI, according to HIPAA regulations is identifiable health information that a covered entity or a business associate uses, maintains, stores, or transmits as a part of healthcare services. PHI isn’t just related to medical records or individually identifiable health markers, but can be anything that identifies a patient and is used during the course of his or her care. Any personal detail linked to someone’s health condition automatically becomes PHI. For example, patient name or email alone can be considered PHI if it is associated with a healthcare provider, such as in a marketing email coming from your practice.
Electronic protected health informationElectronic protected health information, or ePHI, is PHI which is held or transferred in electronic form. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) obligates covered entities to protect the privacy and security of American's health information (i.e. their PHI). The US Department of Health and Human Services (HHS) later published The HIPAA Privacy Rule to establish the national standards for covered entities to follow. HHS also published the HIPAA Security Rule to delineate a national set of security standards for protecting ePHI. The Security Rule sets specific standards for the confidentiality, integrity, and availability of ePHI.
- Confidentiality means not disclosing ePHI without proper patient authorization.
- Integrity means ensuring that ePHI is not accessed except by appropriate and authorized parties.
- Availability means allowing patients to access their ePHI in accordance with HIPAA security standards.
The Security Rule explains both the technical and non-technical protections that covered entities must implement to secure ePHI.
- Administrative safeguards include policies and procedures designed to protect patient information. That might take the form of designating a security official whose job it is to create office-wide policies, enforce them and train employees on HIPAA measures.
- Physical safeguards are actual physical protections put in place to protect electronic systems, workplace equipment and patient data.
- Technical safeguards refer to the automated process that employees use to access patient data. Think of things like log-in credentials, passwords, and other authentication methods.
ePHI and email encryption
In regards to HIPAA compliant email, covered entities must take reasonable steps to protect ePHI while it is transmitted electronically, all the way to the recipient’s inbox. Encryption is a method of converting a plain text electronic message into encoded text. When information is encrypted, it is unlikely that anyone other than the designated recipient can decrypt (translate) the message in order to read it. Encryption is the best safeguard for managing the confidentiality, integrity, and availability of ePHI as described above.
Storing ePHI with business associates
Cloud storage services qualify as business associates even if they never access or view the ePHI that they store. Most mainstream email marketing solutions will not sign a business associate agreement (BAA), which is a nonstarter for healthcare providers. This includes such well known platforms such as Mailchimp, HubSpot, and Salesforce Pardot, among many others. For more details on which platforms are safe and effective for healthcare providers to use, we have analyzed the HIPAA compliance of the top 20 email marketing tools here.
Why you should choose Paubox MarketingPaubox Marketing lets recipients view healthcare marketing emails like regular emails without relying on out-dated portal notifications which are terrible for the recipient. It allows you to send secure, personalized email including ePHI to increase engagement and build your business while remaining HIPAA compliant. Paubox Marketing is the only HIPAA compliant email marketing solution that will:
- Sign a BAA
- Provide military-grade encryption
- Allow you to include ePHI in your messages
- Allow patients to read your emails directly from their inboxes with no extra steps
In addition, Paubox Marketing is HITRUST CSF certified. Compared to the standard marketing tools, Paubox Marketing is the best option for maintaining HIPAA compliance while harnessing the power of personalized email marketing. Although you might see storing and sending PHI electronically as a roadblock to implementing an email marketing strategy, it doesn’t have to be.