The healthcare industry thrives on medical data. Healthcare information is vulnerable by nature, and medical insurance claims are significant sources of PHI (protected health information). PHI is used in the healthcare industry to comprehend a health history and provide insight into their wellbeing. However, it is also vital to learn and put in place sufficient safety measures to make sure that recorded PHI is not exposed.

What is ePHI?

The data that HIPAA is supposed to safeguard is known as protected health information or PHI. During the implementation of HIPAA in the 1990s, the majority of the data generated and used in healthcare organizations was on paper. Since then, the medical industry has seen a major transformation that has resulted in more PHI being handled electronically. This led to the term ePHI, or Electronic Protected Health Information.

Thus, ePHI is the electronic equivalent of everything that is classified as PHI (personal health information). The HIPAA Security Rule was the first to define ePHI, and businesses were told to put in place regulatory, technical, and physical security measures to safeguard it. ePHI can be involved in a range of media, including emails, hard drives, smartphones, memory cards, drives, cloud-based platforms, and other devices.

According to HIPAA (Health Insurance Portability and Accountability Act), 18 particular parameters of patient data are considered PHI. These include:

  • Title/Name
  • Address
  • Birthdate of the Patient
  • Beneficiary identification number of a healthcare plan
  • License IDs/Certification numbers
  • Patient’s full face photographs
  • Social Security Numbers
  • Email Address
  • Vehicle Identifiers
  • Phone numbers
  • Medical Record Number
  • Payment related information
  • Biometric Data

ePHI also includes:

  • Lab findings or medical test results that are emailed
  • E-calendar entries for bookings and consultations
  • Prescribed medication
  • Patient’s X-Rays, MRI Scans, etc.
  • Blood test reports
  • Information regarding Patient’s Health Insurance

What does not qualify as electronic protected health information?

PHI does not pertain to every data and information stored. Keep in mind the following two factors:

  • The patient’s information must be identifiable to him/her.
  • During the course of treatment, data must be utilized or shared with a covered entity.

Apple Health Records, diabetes monitors, blood pressure monitors, and even menstruation trackers are all healthcare-related applications. They gather data that may be categorized as ePHI. But, since the application was not designed to be used by doctors, the records do not fall under HIPAA regulations. HIPAA does not apply to a patient’s personal knowledge of their health data. They have the freedom to share their personal data the way they want.

This implies that healthcare data kept in school or work records, as well as hospital staff professional information, is not ePHI. Furthermore, patient healthcare information can be relieved of any identifiers.  If identifiers are removed from the data, it is no longer protected information, and the HIPAA limits on use and exposure are no longer in effect. This De-identified or anonymous data is stripped data that can be entered into databases and used to get insight into general populations and value-based initiatives.

How Canary helps maintain ePHI

Companies that deal with protected health information (ePHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Canary is the best alternative if you’re looking for a HIPAA Compliant email client that not only focuses on email security, but provides a wide range of attractive features too, which makes it all the more user-friendly. Most email security tools only protect work mail accounts. But modern attacks often target personal accounts. With Canary you can finally protect both.

Canary is special – it’s an app, not a provider. This means that Canary lets you send encrypted emails via your favorite email provider, including Gmail, Yahoo, Office 365, iCloud, or any other IMAP account. You can even send PGP encrypted emails from your iPhone, iPad, or Mac, to any other PGP user, who may or may not be using Canary. With end-to-end encryption, your provider is no longer relevant – the emails won’t be readable on your provider’s web interface. This means that even if an intruder gets access to your Gmail account, all they’ll see is garbled text.

Canary offers two distinct methods of email encryption to secure email. The first is an auto method called SecureSend, where the email encryption is handled automatically – users do not need to worry about the key exchange needed to secure mail. Alternatively, advanced PGP users can choose to manage keys manually and use their existing PGP keys generated via tools such as GPGTools, Symantec Email Encryption, Posteo, etc.

The best part? You no longer have to compromise on design, features, or performance to avail of cutting-edge email encryption. We’ve designed Canary to help you effortlessly deal with today’s email volumes, via your favorite email provider (IMAP), and to do so securely.