HIPAA EMR vs. EHR vs ePHI vs PHI – What’s the Difference?

Curious as to the HIPAA compliance requirements for electronic Medical Records, commonly known as EMR, but also that of Electronic Health Records (EHR) and electronic/electronically Protected Health Information (ePHI), or just PHI? If so, you’re not alone, so here’s what you need to know when it comes to compliance with digital/electronic medical records as it pertains to the Health Insurance Portability and Accountability Act (HIPAA), courtesy of Flat Iron Technologies, North America’s leading provider of award-winning HIPAA Security & Privacy Compliance Toolkits (HSPCT).

Save Thousands on HIPAA Compliance with our Toolkits!

Just a quick note that our award-winning, industry leading HIPAA Security & Privacy Compliance Toolkits (HSPCT) are available for instant download today at hipaapoliciesandprocedures.com. Developed by healthcare professionals with a proven track record of compliance expertise, the HSPCT documentation includes all necessary policies, procedures, forms, checklists, templates, security awareness training material, risk assessment documents, third-party monitoring forms, fraud documentation – and more – for helping Covered Entities (CE) and Business Associates (BA) become compliant with the Health Insurance Portability and Accountability Act (HIPAA). If you’re into saving thousands of dollars on HIPAA compliance, then visit hipaapoliciesandprodures.com today.

HIPAA EMR vs. EHR vs ePHI vs PHI – What you Need to Know

1. Understand the Terminology. Before you can begin to assess your compliance requirements regarding electronic medical records, it’s important to learn the alphabet of acronyms relating to such data, which are the following:

EMR: Electronic medical records (EMRs) are essentially digital versions of the various paper charts in clinician offices, clinics, hospitals and other healthcare practices. EMRs thus contains notes and other sensitive information collected by and for the clinicians in that office, clinic, or hospital and are mostly used by providers for diagnosis and treatment. EMRs are more valuable than paper records because they enable providers to track data over time, identify patients for preventive visits and screenings, monitor patients, and improve health care quality.

EHR: An electronic health record (EHR) is essentially a digital version of a patient’s paper chart. EHRs are real-time, patient-centered records that make information available instantly and securely to authorized users of such data. EHRs contain information from all the clinicians involved in a patient’s care and all authorized clinicians involved in a patient’s care can access the information to provide care to that patient. Simply stated, EHRs focus on the total health of the patient, effectively extending beyond standard clinical data collected in the provider’s office and inclusive of a broader view on a patient’s care, thus an important distinction exists between EMR and EHR that you need to be aware of. EHR often contains a patient’s medical history, diagnoses, medications, treatment plans, immunization dates, allergies, laboratory and test results, and much more.

PHI: Protected health information is essentially any information about health status, provision of health care, or payment for health care that is created or collected by a "Covered Entity" (or a Business Associate of a Covered Entity), and can be linked to a specific individual. This is interpreted rather broadly, and consists of a list the following 18 common identifiers:

1. Names
2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

ePHI: Electronic protected health information (ePHI) refers to any protected health information (PHI) that is covered under Health Insurance Portability and Accountability Act of 1996 (HIPAA) security regulations and is produced, saved, transferred or received in an electronic form.

2. Know the Benefits of Information Security Best Practices: Implementing I.T. best practice is an absolute must in today’s cybersecurity world, and it’s also highly essential for helping ensure the safety and security of Protected Health Information (PHI) and other confidential consumer/patient data. Breaches are occurring at record pace today, affecting thousands of businesses throughout North America, so now’s the time to start getting serious about information security, and it essentially means creating a new culture and mindset. It’s about putting security first, and making security an absolute priority, no question about it. Getting serious about HIPAA compliance means getting serious about information security.

3. Ensure Proper Documentation is in Place: What is “proper documentation” when it comes to HIPAA compliance, it’s the numerous information security, operational, and HIPAA specific policies and procedures that need to be in place. From the HIPAA Security Rule and Privacy Rule mandates, to numerous other supporting initiatives, such as security awareness training, risk assessments, and more, developing the necessary material can be incredibly time-consuming and very tedious indeed. It’s why healthcare providers turn to hipaapoliciesandprocedures.com for the very best HIPAA policy templates and toolkits found anywhere today. Compliance with HIPAA means heavy documentation has to be in place, it’s just that simple. Why spend endless hours trying to author templates from scratch – it’s not necessary – use our HIPAA Security and Privacy Compliance Toolkits (HSPCT) today!

4. Remediate Areas of Concern: We live in a world of growing threats, many of them digital in nature as hackers and other malicious individuals are using a wide-variety of online attack tools. It’s therefore critically important to remediate and enhance your information security posture. Specifically, it’s about properly configuring firewalls, strengthening passwords, ensuring a comprehensive data backup process is in place, and much more. But it’s not just about technology, it’s also about enhancing operational strategies, such as performing a risk assessment, conducting security awareness training (more on the two initiatives in a moment), ensuring an incident response plan is in place, testing your contingency plan, and much more.

Look, no healthcare organization has a picture perfect control environment – there’s always work to be done – and the documentation you need for helping strengthen one’s controls can be downloaded today at hipaapoliciesandprocedures.com. Our HIPAA Security & Privacy Compliance Toolkits (HSPCT) contain all the essential ingredients for cooking up a successful compliance strategy for HIPAA.

5. Train Employees on a Regular Basis on Security: Successful information security initiatives that every healthcare company should be employing is security awareness training. Sure, it’s a mandate for HIPAA to train employees, but it’s also a best practice every company should be performing – why – because the very best defense against today’s growing cybersecurity threats are well –trained, diligent, security-minded employees.

6. Assess Risks with an Annual Risk Assessment: Performing a risk assessment, while a best practice that healthcare companies should be doing, is also a strict mandate for HIPAA compliance. What’s interesting to note is that such activities don’t have to be a long, drawn-out process that takes months and is filled with academia jargon and exercises – not at all! The simpler, easier, more cost-effective and higher yielding ROI approach is to tailor a risk management program to your business, regardless of size or complexity.
And because the vast majority of healthcare entities are rather small, you can easily use the comprehensive, yet easy-to-use HIPAA risk assessment materials available for instant download today from hipaapoliciesandprocedures.com. You don’t need to spend an enormous amount of time and money on assessing risk, so do what companies all across North America are doing, and that’s downloading the HIPAA Security and Privacy Compliance Toolkit (HSPCT) today from hipaapoliciesandprocedures.com.

7. Aim for the HIPAA Moving Target: Becoming HIPAA compliant – as challenging as that can be – is essential, but it’s more important to keep your eye on the moving target, the constant compliance reminder of how HIPAA is never “one-and-done”. This means putting in place a comprehensive, yet realistic “Continuous Monitoring” program that assesses, makes changes, and ultimately enhances one’s internal controls for helping stay compliant. For such a task, you’ll need to identify a true HIPAA champion within your organization, somebody with the drive and initiative to keep HIPAA going and moving forward.

This somebody also has to be aware of the challenges that lie ahead as businesses simply don’t like change. More specifically, this person will be responsible for helping enforce a constant barrage of regulatory compliance initiatives – too many to list here. This “somebody” will have a true commitment to HIPAA, so think long and hard before assigning such a task.

8. Know that Compliance – and Enforcement – is for real, finally: Have you seen the constant barrage of data breaches and cybersecurity attacks that are making front page news? Unfortunately, there’s going to be more of this in the future as breaches become bigger, more costly and ultimately more damaging. It’s why the need for continuous compliance is essential and it’s also why the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is gearing up yet again with more surprise audits. Say hello to the new world of enforcement and get prepared!

9. Seek Help from Experts: Need assistance with HIPAA compliance, such as writing HIPAA policies and procedures, helping assess scope, performing a readiness assessment, or any other necessary solutions? Then talk to the North America’s HIPAA experts today at Flat Iron Technologies, LLC. Visit hipaapoliciesandprocedures.com to learn more.

Our HIPAA Toolkits Enable Rapid & Complete HIPAA Compliance

HIPAA compliance is an absolute must for any healthcare entity that stores, processes, and transmits PHI, so step up the plate and hit a HIPAA homerun with our industry leading, professionally developed HIPAA Security and Privacy Compliance Toolkits (HSPCT), available for instant download today at hipaapoliciesandprocedures.com. Becoming HIPAA compliant is now easier and more cost-effective than ever, thanks to the easy-to-use documents that are saving healthcare entities hundreds of hours and thousands of dollars.