What is ePHI?

The term ePHI (electronic PHI) includes any patient information that is stored or shared electronically, typically managed by Hospitals or medical practice data collection that falls under Protected Health Information (PHI) policies. These policies can also apply to medical websites that collect personal data during the acquisition process.

The root term PHI can be interchangeably used to describe Protected Health Information or Personal Health Information, both referring to the data privacy policies that require a secure environment to meet compliance goals before deploying digital assets. In order to successfully leverage digital marketing tools to benefit medical practices, a solid understanding of ePHI and how it relates to HIPAA/PHIPA compliance should be communicated by a reputable digital marketing agency or representative.

There are a few key identifiers that will raise HIPAA compliance flags that will trigger when they are collected together. These personal identifiers include:

• Personal Address Information including Postal/Zip Code
• Social Security Number
• Full or Part Name
• Voice Data
• Biometric Identifiers
• Health Plan or Beneficiary Numbers
• Months or Days associated with an Individual
• Full-face photos
• Any unique identifying numbers, codes, or markers including email, record number, account, vehicle, or device identifiers, including but not limited to geographic information, internet protocol (IP) addresses, or device ids.

The Healthcare Industry is heavily regulated when it comes to digital marketing in the USA and Canada. In order to protect the sensitive private data of individuals, there are specific restrictions and procedures that provide standardized best practices for websites or applications. Any medical or healthcare website must consider industry compliance, GDPR, Accessibility and data privacy policies during the design. Having a secure environment to test for compliance before deploying digital assets in the Medical or Hospital space is one way to prevent breaching HIPAA/PHIPA compliance. In order to successfully leverage digital marketing tools to benefit medical practices, a solid understanding of HIPAA and PHIPA compliance should be communicated by your digital marketing agency or representative.

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) regulates the use of data for advertising and marketing purposes within the medical industry. This includes a variety of provisions to keep confidential patient data safe, including a security policy for storage and encryption, as well as a limitation on how long the data may be kept depending on the purpose it is being used for. In America, the regulation of PHI can be illustrated across several agencies including The Department of Agriculture, Food and Drug Administration (FDA), and Federal Trade Commission (FTC). This means that within sensitive industries such as healthcare or medical clinics, every acquisition in search marketing must be HIPAA/PHIPA compliant.

ePHI Data Examples

• Any appointments or scheduling information hosted on an e-calendar
• Any historical administrative information, such as electronic prescriptions, digital x-rays, MRIs, lab result data or patient notes stored on mobile devices. Consider having data policies that encrypt this data on third-party sites in case of physical theft or server emergencies.
• HIPAA regulations set the standard for the transmission, storage, receipt and creation of any ePHI to ensure the following:
  • Administrative requirements, such as documenting who has access to what data
  • Physical requirements, such as security features to prevent theft of devices that contain sensitive data or ePHI
  • Technical requirements, such as encrypting sensitive information or forcing password policies to update security information on a quarterly basis, or other security components that are in place to prevent data breaches

What is NOT Covered Under ePHI?

• Any third-party health app for any application that was created without the explicit use of a physician
• Any data that is not stored by a HIPAA-covered entity or business associate
• Any de-identified or anonymized data that follows secure processes to strip or encrypt any identified private data sets or identifiers

Breaching HIPAA compliance when collecting ePHA is as easy as using Google Analytics to capture the Web URLs visited along with device IDs and allowing the wrong Personal Identifiable Information (PII) to be entered by users. This also includes geolocation, page URLs and titles, or any custom data imports collected by third parties.

Compliance Breach Considerations (HIPAA)

• Medical practices, Med Spas, Pharmaceuticals, and Dentists must report breaches of unsecured PHI
• Notifying Impacted Individuals varies by how many are affected by the breach, typically measured by 500 or less for a less serious breach and 500 or more for a more severe response plan
• When a breach impacts 500 or more individuals it is considered meaningful and must be reported within two months (60 days) of the breach discovery. Any significant breach must also notify the following branches of public service:
  • Secretary of Health and Human Services
  • Individuals affected by security breach
  • Prominent Media in jurisdictions where victims of data breaches reside

ePHI Compliance for Canadian Medical Data Collection (PHIPA)

Collecting and processing personal data (ePHI) in Canada should be compliant with PHIPA laws for a specified purpose only. It is also the responsibility of all physicians and advertisers to comply with the rules and regulations of the Food and Drug Act (FDA) and Controlled Drugs and Substances Act (CDSA). This can be particularly difficult for industries within the Cannabis space as it is highly regulated. This is to prevent misleading advertising or marketing claims that can disrupt trust in the healthcare industry. All advertisements must be evidence-based, accurate, and not misleading.

Compliance issues often occur during the implementation of marketing technology, such as Google Analytics. Including PII on custom campaign parameters for advertising campaigns can cause issues for ePHI privacy compliance. Google Analytics has several features to help prevent the collection of PII and avoid HIPAA breaches, including several permanent personal identifiers including mobile phone unique device IDs.

Analytics Considerations for Privacy Compliance

• Geolocation data cannot be fine-grained or contain GPS information for any area less than 1 square mile, including lat/long coordinates
• This includes Postal or Zip codes that can be mapped to a specific area or residence
• Do not use Custom dimensions, including:
  • utm_source
  • utm_medium
  • utm_term
  • utm_campaign
  • utm_content

In order to establish a standard of Internet Privacy, ePHI must be processed responsibly and demonstrate compliance with applicable data protection laws. Big brands and corporations have the accountability to meet privacy standards for users regardless where they are hosted. These policies are applied internationally for US and Canadian citizens regardless of the location of the company that operates the website.

Looking for something a bit more comprehensive? Contact our team for affordable help.