What is the Confidentiality of ePHI?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

This article discusses the concept of "confidentiality of ePHI" under the HIPAA Security Rule.

What is the Definition of "Confidentiality of ePHI"?

The HIPAA regulations define “confidentiality” as “The property that data or information is not made available or disclosed to unauthorized persons or processes.”

What are Covered Entities' and Business Associates' Obligations With Respect to Confidentiality of ePHI?

Under the HIPAA Security Rule, covered entities and business associates must ensure the confidentiality of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. Various provisions of the Security Rule specifically require confidentiality be assessed, preserved, or maintained. 

These HIPAA confidentiality provisions require (but are not limited to) the following:

• Performing a Risk Analysis: Performing a risk analysis requires healthcare providers and business associates to (among other things) conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality of electronic protected health information held by the covered entity or business associate; and
• Implementing Administrative, Physical, and Technical Safeguards: The plan sponsor of a group health plan must implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality of the electronic protected health information the plan sponsor creates, receives, maintains, or transmits on behalf of the group health plan.