ePHI and HIPAA

Twelve years ago, in 2011, someone stole a laptop from Lahey Hospital and Medical Center, which is affiliated with Tufts Medial School. The Burlington, Massachusetts-based nonprofit teaching hospital notified the Department of Health and Human Services Office for Civil Rights (OCR) about the theft of a single laptop containing the protected health information (ePHI) of 599 patients. That laptop had been previously used with a portable CT scanner and then left in an unlocked room. In accordance with a HIPAA settlement with the OCR the hospital agreed to pay $850,000 and implement a robust corrective action plan.

The investigation that lead to the settlement and subsequent corrective action plan revealed a number of issues, including:
• Failure to physically safeguard a workstation that accessed ePHI.
• Failure to implement and maintain policies and procedures to safeguard ePHI maintained on workstations used with diagnostic/laboratory equipment.
• Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident.

The Director at OCR, Jocelyn Samuels said, “Because these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entity’s risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA’s standards are in place.”

The subsequent investigation by OCR uncovered “widespread non-compliance with the HIPAA rules”.

photo of doctor looking deeply unto the screen

Electronic protected health information (ePHI) is protected health information (PHI) that is produced, saved, transferred or received in an electronic form. In the United States, ePHI management is covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

This data exists in the cloud, but it also exists on hard drives of connected devices, computers, cell phones, copiers, and more. The problem that many healthcare facilities face is that the devices don’t stop storing ePHI when the devices have been decommissioned.

Read more about device destruction here.


Leave a Reply