Does the HIPAA Privacy Rule Only Cover ePHI? Requirements and Examples

HIPAA Privacy Rule Coverage of PHI

The HIPAA Privacy Rule protects Protected Health Information (PHI) in any form—electronic (ePHI), paper, and oral. It governs how Covered Entities and their Business Associates use, disclose, and safeguard PHI, and it grants individuals specific rights over their information. In short, ePHI is a subset of PHI, not the whole scope.

While the Privacy Rule applies to PHI in all media, the HIPAA Security Rule focuses on ePHI and prescribes concrete Administrative Safeguards, Technical Safeguards, and Physical Safeguards. You must apply the Privacy Rule’s “reasonable safeguards” to paper and spoken PHI and implement Security Rule controls for ePHI.

Definition of Protected Health Information

PHI is individually identifiable health information created or received by a Covered Entity or Business Associate that relates to an individual’s past, present, or future physical or mental health or condition, the provision of health care, or payment for health care. Information is “individually identifiable” if it identifies a person or there is a reasonable basis to believe it could identify a person.

PHI can include demographic details combined with health context, such as a diagnosis linked to a name, or a medical record number tied to a treatment date. If a dataset cannot identify a person (for example, it is properly de-identified), it is not PHI.

Minimum Necessary Standard Requirements

The Minimum Necessary Standard requires you to limit uses, disclosures, and requests for PHI to the least amount necessary to achieve the stated purpose. This standard supports privacy by aligning access to a person’s role and the task at hand.

Core requirements

• Adopt role-based access controls that specify who may access which PHI and why.
• Establish protocols for routine disclosures and a review process for non-routine requests.
• Use data segmentation or redaction to share only the necessary elements.
• Rely on “reasonable” representations from other Covered Entities, public officials, or Business Associates when appropriate.

Key exceptions

• Treatment disclosures.
• Disclosures to the individual (or their personal representative).
• Uses or disclosures made pursuant to a valid authorization.
• Disclosures required by law or for compliance investigations.

Administrative and Technical Safeguards

The Privacy Rule requires “reasonable safeguards” for PHI in all forms, while the Security Rule mandates specific safeguards for ePHI. Together, they create a cohesive protection framework.

Administrative Safeguards

• Assign a privacy and a security official to oversee compliance.
• Perform risk analysis and implement risk management for ePHI.
• Train the workforce and apply a sanction policy for violations.
• Develop policies, procedures, and incident response, including breach reporting.
• Execute Business Associate Agreements (BAAs) and manage vendor risk.

Technical Safeguards

• Unique user identification and role-based access controls; multifactor authentication where feasible.
• Audit controls to log and monitor access and activity.
• Integrity controls to prevent improper alteration or destruction of ePHI.
• Transmission security (e.g., encrypted channels) and encryption of ePHI at rest as a strong protective measure.

Physical Safeguards

• Facility access controls for areas where PHI or ePHI systems reside.
• Workstation use and security policies; screen privacy and automatic timeouts.
• Device and media controls, including secure disposal and re-use procedures.

Reasonable safeguards for paper and oral PHI

• Verify recipients before disclosures; use cover sheets and sealed envelopes.
• Speak discreetly in public spaces; avoid unnecessary identifiers.
• Store paper records securely; limit chart access in clinical areas.

Examples of Protected Health Information

PHI includes health data that can identify an individual. Common examples include:

• Names, postal addresses smaller than a state, and precise geolocation tied to care.
• All elements of dates (except year) related to an individual—e.g., birthdate, admission, discharge, death.
• Contact identifiers: phone numbers, email addresses, fax numbers.
• Numbers and IDs: Social Security, medical record, account, certificate/license.
• Vehicle and device identifiers; serial numbers and unique device IDs.
• Web and network identifiers: URLs, IP addresses.
• Biometric identifiers: fingerprints, voiceprints; full-face photos and comparable images.
• Any other unique code or characteristic that could identify a person when linked to health information.
• Clinical content when identifiable: diagnoses, medications, lab results, imaging, care plans, and billing details.

Exclusions from PHI

• De-identified information: data with identifiers removed under the Safe Harbor method or certified by expert determination as very low re-identification risk.
• Education records (and certain student treatment records) covered by FERPA.
• Employment records held by an employer in its role as employer, even if health-related (e.g., FMLA documentation or drug testing results).
• Information about a person who has been deceased for 50 years or more.
• Data held solely by entities that are not Covered Entities or Business Associates may fall outside HIPAA, though other privacy laws can still apply.

Note: A “limited data set” is not fully de-identified and remains PHI, usable for specific purposes under a data use agreement.

Compliance Obligations for Covered Entities and Business Associates

Covered Entities (health plans, most health care providers, and health care clearinghouses) and their Business Associates must operationalize the Privacy Rule while protecting ePHI under the Security Rule.

Covered Entities: essential duties

• Provide a Notice of Privacy Practices and honor individual rights (access, amendment, accounting of disclosures, restrictions, and confidential communications).
• Apply the Minimum Necessary Standard and role-based access in daily operations.
• Designate privacy/security officials; train staff; enforce sanctions; document policies and procedures.
• Maintain BAAs with vendors that handle PHI and oversee subcontractors.
• Detect, mitigate, and report breaches under applicable breach notification requirements.

Business Associates: essential duties

• Use and disclose PHI only as permitted by the BAA and the Privacy Rule.
• Implement Administrative, Technical, and Physical Safeguards for ePHI.
• Report security incidents and breaches; flow down HIPAA obligations to subcontractors.
• Support the Covered Entity’s Minimum Necessary Standard and respond to access or amendment requests when relevant.

Key takeaways

• The HIPAA Privacy Rule covers PHI in any form; ePHI is specifically addressed by the Security Rule’s safeguards.
• Apply the Minimum Necessary Standard to routine operations and vet non-routine disclosures.
• Combine Administrative, Technical, and Physical Safeguards with practical “reasonable safeguards” for paper and oral PHI.

FAQs.

Does the HIPAA Privacy Rule apply to paper and oral PHI?

Yes. The Privacy Rule covers PHI in all forms—electronic, paper, and oral. While the Security Rule prescribes specific safeguards for ePHI, you must still implement reasonable safeguards for paper and spoken PHI.

What types of entities must comply with the Privacy Rule?

Covered Entities—health plans, most health care providers that transmit standard electronic transactions, and health care clearinghouses—must comply. Business Associates that create, receive, maintain, or transmit PHI on their behalf must also comply via Business Associate Agreements.

How is de-identified information treated under HIPAA?

Properly de-identified information is not PHI and is not subject to the Privacy Rule. De-identification can be achieved through Safe Harbor (removing specified identifiers) or expert determination showing a very low risk of re-identification.

What safeguards are required to protect PHI?

For ePHI, implement Administrative, Technical, and Physical Safeguards (e.g., access controls, audit logging, encryption, device controls). For PHI in any form, apply Privacy Rule reasonable safeguards such as role-based access, secure storage, and discreet communications to prevent unauthorized uses and disclosures.