All of the Following Can Be Considered ePHI—Except These Examples

Under the HIPAA Privacy Rule, electronic protected health information (ePHI) is any individually identifiable health information that a covered entity or its business associate creates, receives, maintains, or transmits in electronic form. Yet several data types people assume are ePHI actually fall outside that scope. This guide clarifies the common exceptions—and the narrow circumstances when they can still become ePHI.

Use these distinctions to sharpen Healthcare Operations Compliance, strengthen Electronic Health Records Security where it truly applies, and avoid over- or under-protecting data. Where relevant, you’ll see how Data De-identification Standards and organizational context determine what is and isn’t Protected Health Information.

De-identified Health Information

De-identified data—also called anonymized health data—is not ePHI because it no longer identifies an individual and cannot reasonably be used to do so. Under HIPAA, de-identification can occur through expert determination or the “safe harbor” method that removes specified identifiers and ensures no actual knowledge of re-identification risk.

It remains outside ePHI as long as no code or key exists that can readily re-link the record to a person. If a covered entity retains a separate re-identification key under strict controls, the released dataset is still not ePHI, but the keyed version inside the organization is.

When it can become ePHI again

If de-identified data is combined with other information that reasonably re-identifies an individual, or if a re-identification key is misused or disclosed, the resulting dataset is once again PHI—ePHI when held electronically by a covered entity or business associate. Continuous governance and documented Data De-identification Standards are essential.

Practical implications

• Use expert review or safe-harbor removal to publish analytics safely.
• Store re-identification keys separately with access controls and audit logs.
• Label de-identified datasets clearly to guide proper handling and sharing.

Employment Records

Employment records held by an employer are not PHI or ePHI—even if they contain health-related details. Examples include sick notes, FMLA certifications, drug-test results, or workplace injury logs kept in HR systems. HIPAA regulates covered entities acting as providers, health plans, or clearinghouses; it does not govern employers in their role as employers.

When employment information can be ePHI

If a healthcare provider treats an individual and documents the visit, those clinical records are PHI/ePHI within the provider’s system. If the employer receives a summary from the provider, the copy in the employer’s HR file is still not PHI—but the provider’s copy remains PHI/ePHI. Keep roles and system boundaries clear to maintain compliance.

Compliance tips

• Segregate HR systems from clinical systems to avoid unnecessary HIPAA scope.
• Disclose only minimum necessary fitness-for-duty information back to employers.
• Train workforce on the difference between employer records and patient records.

Educational Records

Student education records maintained by schools or districts are generally governed by FERPA, not HIPAA. When a record qualifies as a FERPA “education record” or eligible “treatment record,” it is excluded from HIPAA and therefore not ePHI, even if stored electronically.

When school health information can be ePHI

Health information handled by an external clinic or telehealth provider that operates as a covered entity separate from the school can be ePHI. Likewise, if a university health system treats non-student patients or exchanges data with other covered entities, those records are PHI/ePHI inside the provider’s systems.

Operational guidance

• Identify whether FERPA or HIPAA applies before setting safeguards.
• For mixed environments, document data flows and designate system owners.
• Apply the minimum necessary standard for any disclosures from school clinics.

Personal Health Records

Personal Health Records (PHRs) that consumers maintain directly—such as information typed into a standalone wellness journal or stored only in a personal app—are typically not ePHI because a covered entity or business associate is not creating, receiving, maintaining, or transmitting them.

When PHR data can be ePHI

If a covered entity provides the PHR or contracts with an app vendor as a business associate (for example, an EHR-tethered patient portal or provider-sponsored remote monitoring app), then information in that system is PHI/ePHI. Context—who controls the system and for what purpose—determines HIPAA coverage.

What to check

• Is the app sponsored by your provider or health plan (a covered entity)?
• Does the vendor act as a business associate with a HIPAA-compliant agreement?
• Are records integrated with Electronic Health Records Security controls?

Non-health Related Information

Not all personal data is PHI. Identifiers such as name, email, or IP address are only PHI when linked to health information by a covered entity or business associate. A shipping address in a retail system or a device ID in a generic app, standing alone, is not ePHI.

When it becomes ePHI

As soon as a covered entity associates identifiers with medical details—diagnoses, treatment plans, claims, or appointment histories—the combined record is PHI/ePHI. Keep a bright line between general customer data and clinical or payment information to avoid inadvertently expanding HIPAA scope.

Examples

• Not ePHI: A gym’s membership roster with no clinical context.
• ePHI: A health plan’s wellness incentive file showing members’ biometric results.
• Not ePHI: E-commerce purchase history unrelated to healthcare services.

Verbal and Handwritten Communications

Verbal conversations and purely handwritten notes are not electronic; therefore, they are not ePHI. However, they can still be PHI and are subject to HIPAA’s privacy protections when handled by covered entities or business associates.

When they become ePHI

Once you record, scan, photograph, or type those communications into an electronic system—such as an EHR, secure email, or voicemail retained on a server—they become ePHI. Apply appropriate access controls, audit trails, and retention policies at that point.

Good practices

• Hold clinical discussions in private areas to protect PHI.
• Store handwritten notes securely; avoid unnecessary duplication into systems.
• If transcribing, classify and safeguard the electronic version as ePHI.

Electronic Health Information on Personal Devices

Health information on a personal device is not automatically ePHI. If a patient tracks symptoms in a notes app and never sends them to a provider, that content is outside HIPAA. Context—who controls the data and whether a covered entity or business associate is involved—decides HIPAA applicability.

When it is not ePHI

Data that stays solely on a patient’s phone or wearable and is not transmitted to a covered entity or its vendor is not ePHI. The same holds for messages exchanged in consumer platforms unrelated to care delivery or plan operations.

When it is ePHI

Workforce use of bring-your-own devices to access patient charts, secure messaging apps provisioned by a hospital, or images taken for clinical documentation and synced to enterprise systems are ePHI. In these cases, enforce Mobile Device Management, encryption-at-rest and in transit, remote wipe, and role-based access to meet Electronic Health Records Security requirements.

Operational safeguards

• Restrict local storage; prefer containerized, access-logged apps managed by IT.
• Use multi-factor authentication and automatic lockout on all clinical apps.
• Document acceptable use and incident response for lost or stolen devices.

Conclusion

Under the HIPAA Privacy Rule, ePHI hinges on two factors: identifiability and covered-entity context. De-identified data, employer HR files, FERPA-governed student records, consumer PHRs, purely non-health data, and non-electronic communications are generally outside ePHI—unless you link them to care, payment, or operations or convert them into electronic form. Clarify context first, then apply right-sized safeguards.

FAQs.

What types of health information are excluded from ePHI?

Information is excluded when it is not electronic, not individually identifiable, or not created, received, maintained, or transmitted by a covered entity or business associate. Common examples include de-identified datasets, employer-held HR records, FERPA education or treatment records, and patient-maintained notes that never reach a provider’s system.

How does de-identified data differ from ePHI?

De-identified data removes or neutralizes individual identifiers under recognized Data De-identification Standards so a person cannot reasonably be identified. Because it is no longer “individually identifiable,” HIPAA’s PHI definition does not apply; once stored or used electronically by covered entities in identifiable form, it becomes ePHI.

Are personal fitness app records considered ePHI?

Usually no. If the app is consumer-facing and not provided by a covered entity or its business associate, your fitness metrics are not ePHI. If your provider or health plan sponsors the app or integrates its data into clinical systems, those records are treated as PHI/ePHI within that covered environment.

When do employment records become ePHI?

Employment records kept by an employer remain outside HIPAA even if they mention health facts. They become ePHI only when the information is held in a covered entity’s healthcare records—for example, when a provider documents a visit or a health plan stores claims tied to an individual.