The provisions of the HIPAA Security rule apply to electronic Protected Health Information (ePHI). All covered entities must comply with the Security standards, requirements, and implementation specifications of HIPAA.
“Protected Health Information (PHI)” – Protected health information (PHI) is defined under the HIPAA regulations as information that is a subset of health information, including demographic information collected from an individual, and:
- is created by a health care provider, health plan, employer, or health care clearinghouse: and
- relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
“Electronic Protected Health Information (ePHI)” – PHI which is electronically created, collected, stored, used, maintained, or transmitted using any media within a covered entity or shared with external sources. The rule requires the preservation and maintenance of privacy and confidentiality for this data.
- Confidentiality - ePHI is accessible that only those people and processes authorized to access the information it.
- Integrity - ePHI is not altered or destroyed in an unauthorized manner
- Availability - ePHI is accessed as needed by those authorized to use it
The HIPAA Security Rule requires that we perform a Risk Assessment to create the framework for identifying risk and addressing any exposures for Penn with appropriate technologies and safeguards. In order to do this, you are being asked to think about what is done in your work that involves confidential and private patient information as you complete this inventory. It is important to know where electronic-Protected Health Information is located throughout the Penn Medicine’s research community.
We encourage you to view this inventory process in a positive light since it will enable us to afford you various helpful tools to manage your ePHI security. This process involves 2 steps. Access to the website will be by PennKey for purposes of privacy and for tracking responders by department. You will have 2 weeks to complete this inventory process.
Step One. This is simply an acknowledgement of your use of any of what HIPAA refers to as Identification Elements of Protected Health Information. The list of 16 elements appears below. If you use NONE of these elements, your response will be logged and you are finished with the inventory.
Step Two. If you use one or more of these identifiable elements, you will be taken to a series of brief questions about EACH instance of use, where a separate accounting of all ePHI created, stored, or transmitted electronically by a faculty member will be completed. The inventory will be completed by the faculty member who is most accountable for the data management and who is generally the owner of the data. This process can NOT be delegated to others to complete. At the end of each asset accounting, you will be automatically taken back to the beginning of the process where much of your stored data can be modified for each new entry.
When you have completed all instances of use or storage of ePHI in electronic media, your information will be submitted to a secure database for reporting purposes. Your Department Chair or Director will contact you as necessary.
Following this inventory step, you will be contacted with guidelines to determine any possible areas of security risk and exposure. From that point, a series of measures will be identified to help manage those areas found to be out of alignment with Penn’s requirements to manage the privacy and confidentiality of electronic Protected Health Information.
| Names |
| Street Address, Apartment #, Precinct, or other geocodes smaller than state, except for the initial 3 digits of the zip code |
| All elements of dates (except year) directly related to individual. (e.g. date of birth/death, dates of admission/discharge, etc.) |
| Any specific ages greater than 90 |
| Telephone numbers including fax numbers |
| Electronic mail addresses |
| Social security number |
| Medical record numbers |
| Health Plan Beneficiary Numbers, or any other account numbers |
| Certificate/license numbers, & vehicle indentifiers and serial numbers, including license plate numbers |
| Implanted device indentifiers and serial numbers |
| Web Universal Source Locators (URLs) |
| Internet Protocol (IP) address numbers |
| Biometric Identifiers, including finger and voice prints or any audio recordings |
| Full face photographic images and any comparable image, including video recordings |
| Any unique identifying number, characteristic, or code |
For assistance with questions regarding this inventory, please call Mary Alice Annecharico at 215-898-9754 during University normal business hours of 9 AM – 5 PM Monday through Friday. Or, you may send your questions to AskHIPAA@mail.med.upenn.edu. Expect a response in less than 24 hours. HIPAA related Research Definitions can be found at http://www.med.upenn.edu/ohr/hipaa.