At a time when privacy has never been more fundamental to freedom, secure email is a concern no matter the content. When that content is sensitive health information that could identify individuals and be used against them, the stakes are especially high.
Fear of being compromised in this way is widespread, growing, and based in grim reality, as bad actors take advantage of unprecedented degrees of health information sharing at the national level. That interoperability is crucial to the system’s costs and complexities coming down, but many patients worry about how their data is being used and stored.
In its 2023 State of Patient Privacy report(nieuw venster), health information network and interoperability provider Health Gorilla(nieuw venster) surveyed more than 1,200 patients and found 95 percent were concerned about data breaches and leaks. When it came to Big Tech companies like Microsoft, Google, and Apple storing their records, 65 percent of respondents expressed distrust.
“The majority of patients don’t believe that vendors are doing enough to protect their health data and have serious concerns about a potential breach of their medical records,” Health Gorilla co-founder and CEO Steve Yaskin said in a news release(nieuw venster) on the report. Yaskin further reflected: “As we make progress in setting a universal floor for interoperability, patients must have confidence in the system for healthcare interoperability to work.”
Building confidence begins with patients understanding exactly what health information is, and what parts of it are federally protected and when. This article explains what constitutes and differentiates PHI (protected health information) and ePHI (electronic protected health information), and how data can optimally be kept safe as it travels through an increasingly vast and vulnerable system.
What is protected health information (PHI)?
In 1996, the Health Insurance Portability and Accountability Act (HIPAA) passed. This set of laws reformed the insurance industry and laid out privacy and security standards for proper handling of patient data by health plans and providers.
That is why every time you see a doctor, you’re required to sign a form notifying you of HIPAA privacy practices around your PHI.
According to the Department of Health and Human Services (HHS), which administers and enforces HIPAA through its Office for Civil Rights (OCR), PHI is any individually identifiable information tied to records of health conditions, care provided, and payment for services. Your personal details by themselves aren’t protected—it’s the pairing with health information that constitutes PHI.
That could be anything from a medical bill to the results of genetic testing, and the HIPAA Privacy Rule(nieuw venster) covers such PHI in any medium, spoken, handwritten, electronic or otherwise.
What is electronic protected health information (ePHI)?
PHI becomes ePHI under HIPAA when it is generated, sent/received, or stored electronically by a “covered entity(nieuw venster)” (providers, insurance plans, clearinghouses that process health data) or a “business associate(nieuw venster)” (individuals or organizations that help carry out healthcare functions, like email providers, finance companies, benefit managers, and lawyers).
That could be email content, an electronic health record, or data maintained in a cloud. The Privacy Rule’s protections apply here, but ePHI is also subject to the HIPAA Security Rule(nieuw venster), which demands covered entities and business associates:
- Ensure ePHI remains confidential and available to permitted parties
- Guard against impermissible uses/disclosures and threats to ePHI integrity
- Ensure workforce compliance around all of the above
What health information isn’t protected under HIPAA?
These basic definitions of PHI and ePHI are reasonably straightforward, but confusion(nieuw venster) persists. Partly because some people assume blanket protection of personal identifiers (everything from your name and email to fingerprints), and partly because qualifying for protection depends on particular combinations of factors(nieuw venster) (like whether the PHI has been de-identified(nieuw venster) or is held by an entity not covered under HIPAA, such as public schools or employers keeping employee health records on file).
The Assistant Secretary for Technology Policy lists additional types of health information to which HIPAA doesn’t apply(nieuw venster). These include psychotherapy notes; information gathered for use in civil, criminal, and administrative actions and proceedings; and the data of anyone who has been dead more than 50 years.
Naturally, within a system of HIPAA’s scope and ever-evolving nature(nieuw venster) as technology and policy advance, nuances and exceptions abound.
“In a perfect world, an explanation(nieuw venster) of what HIPAA Protected Health Information is would be covered in the Notice of Privacy Practices,” independent compliance advocate The HIPAA Journal(nieuw venster) says of the fine print on forms patients sign when receiving care. “However, most Notices of Privacy Practices already contain more information than most patients are prepared to read; and… explaining what is covered under HIPAA—and what is not—will likely raise more questions than answers for patients wishing to exercise their Privacy Rule rights.”
Common misconceptions about what constitutes PHI/ePHI are evidenced by the volume of complaints about HIPAA privacy violations(nieuw venster). Nearly 375,000 have been submitted to the federal government since 2003, when the Privacy Rule went into effect. OCR’s running tally/breakdown indicates that 72 percent of those cases were dismissed. Some because investigators found no evidence of violation (15,561 cases, as of October 2024), and the rest (255,953 cases) because complaints didn’t present a case eligible for enforcement.
The top reason OCR gives for the latter is that the organization being complained about wasn’t covered by HIPAA. Organizations that are covered have a heavy responsibility to meet the highest standard of compliance.
Ensuring the best protections for ePHI
Those charged with keeping PHI safe are legion(nieuw venster). In the provider column, there are doctors, dentists, and psychologists, clinics, nursing homes, and pharmacies. Under health plans, there are insurance companies, HMOs, company health plans, and government programs like Medicare and Medicaid. The middlemen known as healthcare clearinghouses are in there too, checking provider claims for accuracy before shuttling them on to health plans.
All of these entities depend on HIPAA-covered business associates to provide a secure platform for electronically exchanging patient data. If they can’t trust the tools they’re using, they risk violating patient privacy and suffering the consequences, from corrective action to civil and criminal penalties.
They are charged with securing ePHI on their servers and guaranteeing that it stays safe in transit anywhere else. Various platforms offer email services that meet these requirements. Proton for Business exceeds them.
As the world’s largest provider of open-source and end-to-end encrypted email, Proton serves over 50,000 organizations, including HIPAA covered entities. The maintenance and transmission of ePHI goes beyond compliance with formidable Proton security features, including:
- Advanced Encryption Standard (AES) encryption to protect emails stored on servers, and Transport Layer Security (TLS) encryption to protect that content on its way to other recipients
- Open PGP end-to-end-encryption, so data is only accessible to intended recipients—even if the receiving email platform is an unsecure third party
- Comprehensive Business Associate Agreement(nieuw venster) (BAA) coverage, meaning all email features (including calendar and storage) comply with HIPAA
- Robust physical security in terms of control over server integrity
Even on the scale of an organization, switching to Proton from other providers (Google Workspace, Microsoft 365, etc.) is seamless with the Easy Switch tool. Data is migrated, support is provided throughout the process, and workforces need no training to engage with the user-friendly interface.
Patients who are sending or receiving PHI can take steps to protect their own information. Like knowing how to check if their email is compromised, and how to use password best practices and two-factor authentication. They can learn all the features of email and the hazards of improper use. They can switch to Proton.
Still, the great burden of protecting health information falls to the big cogs in the machine. Working with Proton means sharing that commitment to security, as well as building a better internet where privacy is the default.
