ePHI is any information that can identify who the health-related information belongs to.
Protected health information (PHI) is any information in the medical record record that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.
As listed on the DHHS website, there are 18 types of identifiers. Any of one these, combined with “protected health information” would constitute ePHI.
- Address (all geographic subdivisions smaller than state)
- All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
- Phone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Any vehicle or other device serial number
- Device identifiers or serial numbers
- Web URL
- Internet Protocol (IP) address numbers
- Finger or voice prints
- Any other unique identifying number, characteristic, or code (excluding a random identifier code for the subject that is not related to or derived from any existing identifier
An email sent to an individual that says “your appointment with Dr. X is scheduled for at 1 PM on Monday” would be considered a breach as ePHI was shared over an unsecured network (email). The appointment is “protected health information” and the email address used makes it identifiable and electronic.