top of page
Search

Protecting Your Practice: Client ePHI

Writer's picture: Empathic TeamEmpathic Team
Feb 113 min read

Welcome back to Protecting Your Practice, a series of articles from Empathic Software dedicated to educating mental health providers about the importance of cybersecurity and simple steps you can take to keep your data safe.


In this article, we'll be discussing what constitutes Protected Health Information (PHI) and how to securely communicate PHI between parties — as well as avoiding methods that are not secure.


What counts as Protected Health Information?

A male mental health counselor checks his phone while his computer is open. Understanding Protected Health Information (PHI) is essential for any health professional.

According to the U.S. Department of Health and Human Services, Protected Health Information (PHI) is any information that relates to an individual's health status, provision of healthcare, or payment for healthcare that can be linked to that individual.


Under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, PHI is afforded heightened protection to ensure that individuals' sensitive health information remains confidential. This law applies to "covered entities" (i.e. healthcare providers, insurance plans, clearinghouses, and Business Associates) that conduct certain healthcare transactions electronically.


The HIPAA Privacy Rule identifies 18 specific types of information that are considered PHI when they can be used to identify or help identify a particular individual. These include:

  1. Names: Any part of an individual's legal or preferred name.

  2. Geographic data: Any geographic subdivisions smaller than a state, like a city, county, street address, or ZIP code.

  3. Dates: Birth dates, admission dates, discharge dates, and any other dates related to an individual.

  4. Telephone numbers

  5. Fax numbers

  6. Email addresses

  7. Social Security numbers

  8. Medical record numbers: Unique identifiers assigned to patients' medical records.

  9. Health plan beneficiary numbers: Specific numbers assigned to individuals by health insurance plans.

  10. Account numbers: Financial account numbers related to healthcare services, such as routing numbers and credit card data.

  11. Certificate/license numbers: Numbers that indicate professional licenses or certifications.

  12. Vehicle identifiers: License plate numbers and other vehicle details.

  13. Device identifiers: Any device used for healthcare services linked to an individual.

  14. Web URLs: Specific web addresses that can lead to an individual’s information.

  15. IP addresses: Internet Protocol addresses associated with an individual’s electronic devices.

  16. Biometric identifiers: Unique physical traits like fingerprints or voiceprints.

  17. Full-face photographs

  18. Any other unique identifying number, characteristic, or code


It's critical to have a solid understanding of PHI. This knowledge helps ensure you remain HIPAA-compliant and avoid putting your client and business at risk.


Securely communicating PHI

A female psychologist checks her email. When sharing or communicating PHI, make sure you're using a secure method, such as encrypted email.

As a mental healthcare provider, you will inevitably need to share client PHI to relevant third parties. This can include other providers (such as your client's social worker or psychiatrist), your clearinghouse, or your Electronic Health Record (EHR) vendor.


Some methods of securely communicating ePHI include:


Non-secure methods of PHI sharing

A woman checks her mobile device. Sharing PHI via text is not considered a secure method.

Many providers mistakenly share PHI via non-secure channels, such as:

  • Text message

  • Unencrypted email

  • Unencrypted fax

  • Verbally/over the phone in an unsecured space (e.g. a public coffee shop)


These environments increase the risk of someone accessing sensitive client information. If you have been unknowingly sharing PHI in a non-secure manner, don't panic — but do shift to more secure methods immediately.


If you have clients or colleagues emailing you and including PHI, please remind them to refrain from doing so for the client's own good. Including a note in your email signature about PHI sharing can be a helpful reminder. See the below example for some inspiration:


Jane Appleseed | Clinic Director

HIPAA compliance is important to us. When discussing clients via email, please refrain from disclosing PHI and instead refer to clients by their assigned identification number found in their client file.


Other PHI Safeguards

To further protect electronic PHI from cyberattack, consider investing in several the the following safeguards:

  • Multifactor authentification

  • Virtual Private Network (VPN)

  • Secure client portal

  • Anti-malware/anti-spyware software (such as Norton360 or McAFee)

  • HIPAA-compliant file sharing platform (such as DropBox)


As a mental health provider, clients trust you with their most sensitive information. By ensuring proper storage and communication of ePHI, you can effectively protect their data from cybercriminals.


Comments

bottom of page