Classifying Customer Lab Results on a Computer: PHI or ePHI?

When you handle customer lab results, classification turns on two things: whether the data can identify a person and the medium you use to store or transmit it. If the results are tied to an individual, they are Protected Health Information (PHI); if those same results live on a computer or move electronically, they are Electronic Protected Health Information (ePHI).

Understanding the HIPAA Privacy Rule and the Security Rule helps you decide how to store, access, and secure these records without over- or under-protecting them.

Definition of Protected Health Information

PHI is Individually Identifiable Health Information that relates to a person’s past, present, or future health condition, the provision of care, or payment for care. The HIPAA Privacy Rule governs how you may use and disclose PHI and enforces the “minimum necessary” standard.

What makes information “individually identifiable”?

• Direct identifiers such as name, full-face photos, phone numbers, email addresses, account or medical record numbers.
• Quasi-identifiers that can reasonably identify someone when combined—detailed dates, precise geocodes below the state level, or unique device and network identifiers.
• Any other unique number, code, or characteristic that can link the data back to a specific person.

If the data cannot reasonably identify an individual, it is not PHI. Most raw lab outputs become PHI the moment they are linked to a name, ID, or another identifier.

Explanation of Electronic Protected Health Information

ePHI is simply PHI in electronic form—created, received, maintained, or transmitted on electronic media. That includes desktops, laptops, servers, smartphones, tablets, removable media, and cloud services.

Common examples include emailing a lab report, storing results in an EHR, scanning a paper report to a PDF, or syncing results to a cloud drive. Printing an electronic record yields PHI on paper, but the file on your computer remains ePHI and triggers security obligations.

Lab Results as Protected Health Information

Lab results typically qualify as PHI because they describe an individual’s health status and are usually linked to identifiers—patient name, date of birth, medical record number, or an order number that maps back to the person.

• Lab results are PHI when they are tied to a specific person or can reasonably be re-identified.
• Aggregated statistics that cannot be traced to any person are not PHI, provided no re-identification risk remains.

If you detach results from all identifiers and remove reasonable re-identification risk, the data falls outside PHI. Until then, treat them as PHI.

Lab Results as Electronic Protected Health Information

Once you store customer lab results on a computer or send them electronically, they become ePHI. The classification follows the data, not the system’s label—screenshots, cached files, synced folders, and backups containing the results are all ePHI.

Moving data from paper to a scanner converts PHI into ePHI; copying ePHI to a USB drive, a laptop, or a cloud repository keeps it as ePHI. This status invokes the HIPAA Security Rule’s protections in addition to the privacy requirements that already apply.

HIPAA Security Rule Requirements

The Security Rule requires you to safeguard ePHI through a risk-based program spanning Administrative Safeguards, Technical Safeguards, and Physical Safeguards. Your controls must be reasonable and appropriate for your size, complexity, and risks.

Administrative Safeguards

• Perform a periodic risk analysis and implement a risk management plan.
• Define policies and procedures for access, incident response, contingency planning, and sanctioning.
• Train your workforce on acceptable use, phishing, and handling ePHI.
• Execute Business Associate Agreements with vendors that create, receive, maintain, or transmit ePHI.

Technical Safeguards

• Access controls with unique User Authentication, least privilege, and role-based authorization.
• Audit controls: log access, changes, and disclosures; review for anomalies.
• Integrity controls to protect against improper alteration or destruction.
• Transmission security to protect ePHI sent over networks, including strong encryption in transit.

Physical Safeguards

• Facility access controls and visitor management for server rooms and offices.
• Workstation security and screen privacy to prevent shoulder surfing.
• Device and media controls for secure storage, movement, reuse, and disposal of hardware.

Storage and Access Controls for ePHI

Strong storage and access practices keep ePHI confidential, intact, and available. Focus on preventing unauthorized access while ensuring clinicians and support staff can do their jobs.

• Inventory where ePHI resides: endpoints, servers, EHRs, file shares, mobile devices, and backups.
• Enforce least-privilege, role-based access, and time-bound permissions for temporary needs.
• Require multi-factor User Authentication for remote access, admin accounts, and sensitive roles.
• Encrypt laptops, mobile devices, and removable media; enable remote lock and wipe.
• Patch operating systems and applications; harden configurations and disable unused services.
• Monitor and alert on anomalous logins, mass downloads, and unusual data transfers.
• Back up ePHI securely, test restores regularly, and encrypt backups at rest and in transit.
• Sanitize or destroy drives and paper outputs using approved disposal methods.

Encryption and De-Identification of ePHI

Encryption reduces breach risk by making data unreadable to unauthorized parties. Use strong, industry-accepted algorithms, protect keys with role separation, rotate keys periodically, and encrypt ePHI both at rest and in transit.

When you no longer need person-level data, consider Data De-Identification. HIPAA recognizes two methods: the Safe Harbor approach (removal of specified direct and quasi-identifiers) and Expert Determination (a qualified expert documents that re-identification risk is very small). If a coded dataset can be linked back to identities, protect the code and mapping file as ePHI.

Conclusion

To classify customer lab results on a computer, ask two questions: can the data identify a person, and is it electronic? If yes to both, it is ePHI and must be protected by the Security Rule using Administrative, Technical, and Physical Safeguards. If you properly de-identify the data, it falls outside PHI—but only after you remove identifiers and mitigate re-identification risk.

FAQs

Are customer lab results always considered PHI?

Usually yes. Lab results relate to an individual’s health and, when tied to identifiers or reasonably re-identifiable, they are PHI. If you fully de-identify results so no individual can be identified, they are not PHI.

How does storing lab results electronically affect their classification?

Storing, transmitting, or processing lab results electronically turns PHI into ePHI. The HIPAA Security Rule then applies, adding security obligations on top of privacy requirements.

What safeguards are required for protecting ePHI on computers?

Implement Administrative Safeguards (risk analysis, policies, training), Technical Safeguards (access control, User Authentication, audit logging, integrity, encryption in transit), and Physical Safeguards (workstation and device controls). Use least privilege, MFA, and strong monitoring.

How can ePHI be properly de-identified?

Use one of two HIPAA-approved methods: Safe Harbor (remove specified identifiers) or Expert Determination (have a qualified expert document a very small re-identification risk). Maintain any re-identification codes separately and secure them as ePHI.