Are Lab Results on a Computer PHI or ePHI? Explained

Short answer: yes—lab results stored, processed, or sent on a computer are electronic protected health information (ePHI) when they can identify a patient and are handled by a covered entity or its business associate. Those same results are protected health information (PHI) in any format, but they become ePHI the moment they exist in electronic form. Understanding the distinction helps you apply HIPAA regulations correctly and safeguard confidentiality, data integrity, and availability.

Definition of Protected Health Information

What makes information PHI

Protected Health Information is any individually identifiable health information created, received, maintained, or transmitted by a covered entity (like a provider, health plan, or clearinghouse) or a business associate. It relates to a person’s past, present, or future physical or mental health, the provision of care, or payment for care, and it either identifies the individual or could reasonably be used to identify them.

PHI spans all formats—paper, oral, and electronic. A printed lab report with a patient’s name, a discharge summary, or a billing statement tied to a diagnosis are all PHI because they reveal health information about an identifiable person.

What PHI excludes

• De-identified information that cannot identify an individual under HIPAA’s de-identification standards.
• Employment records held by a covered entity in its role as employer.
• Education records protected by FERPA.

Definition of Electronic Protected Health Information

What counts as ePHI

Electronic Protected Health Information is simply PHI in electronic form. If the information is stored, received, maintained, or transmitted on electronic media—such as EHR systems, lab information systems, cloud storage, servers, hard drives, USB devices, patient portals, email, or secure messaging—it is ePHI.

Electronic media and scope

Electronic media include storage (e.g., servers, laptops, smartphones, backups) and transmission media (e.g., networks and the internet). ePHI requires safeguards that preserve confidentiality (no unauthorized access), data integrity (no improper alteration or destruction), and availability (accessible to authorized users when needed).

Lab Results as Electronic Protected Health Information

When lab results are ePHI

Lab results on a computer are ePHI if they can be linked to a person—directly (name, medical record number) or indirectly (combinations like test date plus unique identifiers)—and are handled by a covered entity or business associate. Results viewed in an EHR, stored in a lab information system, attached to an email, exported as a PDF, or synced to a patient portal all qualify as ePHI.

Practical examples and caveats

• A CBC result saved on a hospital server with a patient’s MRN: ePHI.
• The same result printed and filed: still PHI, but not ePHI once it exists only on paper.
• An anonymized dataset of lab values with identifiers removed per HIPAA: not PHI/ePHI.
• Results on a patient’s personal device or app may fall outside HIPAA if no covered entity or business associate is involved, but the data remain sensitive and should be protected.

HIPAA Compliance Requirements for ePHI

The HIPAA Security Rule sets out specific safeguards for ePHI. Your program should align with HIPAA regulations and the core security objectives of confidentiality, data integrity, and availability.

Administrative safeguards

• Conduct a thorough risk analysis and implement risk management to reduce risks to ePHI.
• Define and enforce role-based access, the minimum necessary standard, and workforce training with a sanctions policy.
• Execute business associate agreements (BAAs) that bind vendors to Security Rule requirements.
• Establish incident response, breach identification and notification procedures, and contingency plans (backup, disaster recovery, emergency mode operations).
• Document policies and procedures and perform periodic evaluations.

Physical safeguards

• Control facility access and monitor visitors to areas housing systems with ePHI.
• Set workstation use and security standards (screen privacy, automatic logoff, secure locations).
• Manage device and media controls—secure disposal, media re-use, asset tracking, and encryption of portable devices.

Technical safeguards

• Access controls: unique user IDs, least privilege, multi-factor authentication, emergency access procedures, automatic session timeouts.
• Audit controls: log access and activity on systems storing lab results; review logs routinely.
• Integrity controls: change monitoring, checksums/hashes, and validated interfaces to prevent unauthorized alteration.
• Transmission security: protect ePHI in motion (TLS/VPN); use secure messaging rather than standard SMS or unsecured email.
• Encryption at rest: an addressable safeguard that is strongly recommended based on your risk analysis.

Operational practices that strengthen HIPAA compliance

• Patch and vulnerability management to reduce exploit risk.
• Network segmentation, least-privilege service accounts, and secure APIs for system-to-system lab data exchanges.
• Regular backups with tested restores to ensure availability of critical lab data.

Examples of Electronic Protected Health Information

• Lab test results stored in a lab information system or EHR, tied to patient identifiers.
• Radiology images and reports (DICOM files) linked to patient demographics.
• E-prescriptions and medication administration records referencing a specific patient.
• Billing, claims, and eligibility files that include diagnoses or procedure codes with identifiers.
• Secure messages or emails containing appointment details, test results, or care plans.
• Patient portal messages and uploaded documents that include health information.
• Device backups, archives, or cloud snapshots that contain identifiable health data.
• Remote monitoring and telehealth session records associated with an identifiable patient.

De-identified Health Data

When health data falls outside HIPAA

Health data are de-identified—and thus not PHI/ePHI—when they no longer identify an individual and there is no reasonable basis to believe they can identify an individual. HIPAA recognizes two pathways:

• Safe Harbor: removal of specific identifiers (such as names, contact details, precise geocodes, full-face photos, and other listed elements) and no actual knowledge of re-identification risk.
• Expert Determination: a qualified expert applies accepted methods to conclude the risk of re-identification is very small, and documents the analysis.

Limited Data Set versus de-identified data

A Limited Data Set removes most direct identifiers but may retain some elements (e.g., dates, city, state). It is still PHI and requires a data use agreement. Truly de-identified data falls outside HIPAA, though you should maintain governance to prevent re-identification.

HIPAA Privacy and Security Rules

The HIPAA Privacy Rule governs how PHI in any form may be used and disclosed, sets the minimum necessary standard, and grants individuals rights (access, amendment, and accounting of disclosures). The HIPAA Security Rule focuses specifically on ePHI and mandates administrative, physical, and technical safeguards to protect it.

Together, these rules require you to limit uses and disclosures, protect systems and data, train your workforce, and ensure vendors meet equivalent protections. For lab results on computers, that means controlling access, logging activity, encrypting where appropriate, maintaining reliable backups, and disclosing only what is necessary for care or operations.

FAQs.

What distinguishes PHI from ePHI?

PHI is individually identifiable health information in any format—paper, oral, or electronic—handled by a covered entity or business associate. ePHI is that same information when it is created, stored, transmitted, or received electronically. All ePHI is PHI, but not all PHI is ePHI (for example, a paper-only lab report is PHI, not ePHI).

Are electronic lab results protected under HIPAA?

Yes. If lab results can identify a patient and are created, stored, or transmitted electronically by a covered entity or business associate, they are ePHI and must be protected under HIPAA regulations.

How can covered entities secure lab results on computers?

Apply the Security Rule’s administrative, physical, and technical safeguards: perform a risk analysis; enforce role-based access and multi-factor authentication; log and review system activity; encrypt data in transit (and at rest based on risk); protect facilities and devices; manage backups and disaster recovery; and train staff on the minimum necessary standard and incident response.

What constitutes de-identified health data under HIPAA?

Data are de-identified when they cannot identify an individual and there is no reasonable basis to believe they can. HIPAA allows two methods: remove specified identifiers under Safe Harbor and ensure no actual knowledge of re-identification risk, or obtain Expert Determination that the risk of re-identification is very small, with documentation of the methodology.