The Security Rule deals specifically with electronic PHI (e-PHI),
and "establishes national standards to protect" that e-PHI.
business associates to ensure the confidentiality of e-PHI, identify
(3) Keys to the effectiveness of the risk assessment is to scope it to include all information technology across the organization that handles electronic-protected health information (e-PHI
[or] [m]aintained in electronic media," (134) or "e-PHI." (135) According to the HHS's website, "[e]-PHI does not include ...
(146) The lack of a firm requirement to encrypt e-PHI transmissions thus further weakens the Security Rule's protections for telemental health patients.
In Figure 4(a), E-phi
and E-theta for the E-plane are given.
The risk assessment is described in the Security Rule as "an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI
held by the covered entity."
Generally speaking, the Office for Civil Rights guidance on "Ransomware and HIPAA" says that when electronic protected health information (e-PHI
) is encrypted as the result of a ransomware attack, a breach has occurred because the e-PHI
encrypted by the ransomware was acquired (i.e.
Piedmont's network includes a wide variety of servers and technology that process and store electronic-protected health information (e-PHI).
OIG audited Piedmont's administrative, physical and technical safeguards, including the hospital's policies and procedures relating to e-PHI access; the risk assessment relative to e-PHI; electronically transmitting e-PHI; preventing, detecting, containing and correcting security violations; monitoring systems; remote access; wireless security; antivirus mechanisms; firewalls; and other e-PHI security requirements.