What constitutes electronic Protected Health Information (ePHI)?
What is ePHI?
ePHI is Protected Health Information that this produced, saved, transferred, or received in an electronic form (such as email or text).
- Protected Health Information is the combination of health information with one or more of the designated HIPAA identifiers.
- An email address or telephone number is a HIPAA identifier
When emails include health information and are sent from Workforce members (i.e. faculty, staff, or students) of the covered entity, the emails are ePHI and are subject to the HIPAA Privacy and Security Rules.
What makes up the covered entity?
- The WU School of Medicine, Barnes Jewish Hospital, and St. Louis Children’s Hospital.
- On the Danforth campus, the Psychological Services Center, Habif Health and Wellness Center (Student Health), Clinical Practice of the George Warren Brown School of Social Work, and the Department of Biomedical Engineering in the School of Engineering
Health information includes information about:
- an individual’s past, present or future physical or mental health or condition,
- the provision of health care to an individual,
- the past, present, or future payment for the provision of health care to the individual
While an individual’s test results and treatment plans are certainly health information, other less obvious examples of health information are:
- Appointment confirmations with treatment providers.
- Unsigned consent forms sent to potential participants with particular diagnoses or who are being evaluated for/at risk for certain conditions (this includes individuals undergoing a medical procedure, a course of treatment, undergoing surgery, or who are recruited due to a family history of a disease/condition).
- Surveys asking about medical conditions. (An email or text that includes a link to a survey about medical conditions is considered ePHI.)
- An email sent from a covered entity staff member to the following individuals; regardless of the email content.
- To patient populations (or their family members) identified from their health care record (such as the medical record, clinic record, patient schedule or billing record)
- To past participants identified from research records that are subject to HIPAA requirements
CFR 45 § 160.103