Electronic Protected Health Information (ePHI) Definition: What Counts Under HIPAA

Defining Electronic Protected Health Information

Electronic protected health information (ePHI) is any individually identifiable health information that is created, received, maintained, or transmitted in electronic form by a HIPAA covered entity or its business associate. It relates to an individual’s past, present, or future health status, the provision of care, or payment for care.

Electronic media includes servers, laptops, tablets, smartphones, removable drives, networked medical devices, EHR systems, patient portals, and cloud storage. It also includes electronic media transmission such as EDI transactions, secure email, encrypted messaging, and telehealth platforms. Paper faxes and unrecorded phone calls are not electronic media, but their content may still be PHI if it identifies a person.

Under the HIPAA Privacy Rule, the content is protected because it can identify the individual. Under the Security Rule, the same content becomes ePHI the moment you store or move it electronically, triggering specific health information security obligations.

What makes information “individually identifiable”

• It can directly identify a person (for example, name or Social Security number), or
• It can reasonably be used to identify a person when combined with other data (for example, date of birth plus ZIP code and gender).

When consumer data is (and isn’t) ePHI

Information a person keeps for personal use in a consumer app is not ePHI unless a covered entity or business associate creates, receives, maintains, or transmits it. Once that data flows to a provider, health plan, or their vendor, it can become ePHI.

Identifying Covered Entities

Covered entities are the organizations directly regulated by HIPAA. You are a covered entity if you are one of the following and you conduct standard transactions electronically:

• Health care providers, such as hospitals, clinics, physicians, dentists, pharmacies, and telehealth practices.
• Health plans, including group health plans, insurers, HMOs, and government programs like Medicare Advantage plans.
• Health care clearinghouses that translate or standardize health information for other entities.

Business associates are not covered entities, but they must comply with HIPAA obligations through contracts. Examples include EHR and billing vendors, cloud service providers, claims processors, analytics firms, telehealth platforms, and law or consulting firms that handle PHI. Both covered entities and business associates must implement confidentiality safeguards and data integrity controls appropriate to their roles.

Examples of ePHI Data

Personal and contact identifiers

• Names; postal addresses smaller than a state; phone numbers; email addresses.
• Social Security, medical record, and health plan beneficiary numbers.
• Account, certificate, and license numbers; vehicle identifiers; device serial numbers.
• Web URLs and IP addresses associated with an individual.
• Full-face photographs and comparable images; biometric identifiers such as fingerprints or voiceprints.

Clinical and care-related data

• Diagnoses, lab results, imaging, pathology reports, and care plans.
• Medication lists, allergies, immunizations, and problem lists.
• Procedure notes, progress notes, and discharge summaries.
• Genetic and family history information when identifiable.

Payment and administrative information

• Claims, authorizations, eligibility checks, remittance advice, and EOB details.
• Billing amounts, account balances, and payment card details when linked to an individual’s care.

Communications and metadata

• Secure messages, telehealth chat logs, appointment reminders containing health details.
• Timestamps, device IDs, and location data that can identify a person in a health context.

If the information can identify an individual and relates to health, care, or payment—and it exists or moves electronically—it counts as ePHI.

HIPAA Security Requirements

The HIPAA Security Rule requires you to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. Controls must be “reasonable and appropriate” for your size, complexity, and risk. Many controls are required; others are addressable, meaning you must implement them or document an equivalent alternative.

Administrative safeguards

• Risk analysis and risk management to identify threats, vulnerabilities, and appropriate mitigations.
• Workforce training, role-based access, and sanctions for policy violations.
• Business associate management, including due diligence and signed agreements.
• Contingency planning: data backup, disaster recovery, and emergency mode operations.
• Policies for incident response, breach assessment, and timely notifications.

Physical safeguards

• Facility access controls, visitor management, and environmental protections.
• Workstation use and security standards for desktops, laptops, and kiosks.
• Device and media controls: inventory, secure re-use, and verified destruction.

Technical safeguards

• Access controls: unique IDs, strong authentication, least privilege, and automatic logoff.
• Audit controls: logging, monitoring, and periodic review of access and changes.
• Data integrity controls: hashing, digital signatures, and change detection to prevent improper alteration.
• Person or entity authentication to verify users, services, and devices.
• Transmission security: encryption and integrity protections for electronic media transmission across networks.

Encryption of ePHI at rest and in transit is a best practice that materially reduces risk and simplifies breach assessment. Document every decision and safeguard; documentation is evidence of compliance.

Differentiating PHI and ePHI

PHI is individually identifiable health information in any form—paper, oral, or electronic—held by a covered entity or business associate. ePHI is the subset of PHI that is created, received, maintained, or transmitted electronically.

Both PHI and ePHI are subject to the HIPAA Privacy Rule. Only ePHI is directly subject to the Security Rule’s technical, physical, and administrative safeguards. For example, a printed lab result is PHI; the same result stored in your EHR or sent via secure email is ePHI.

De-identified data is not PHI or ePHI. You must remove specified identifiers or use an expert determination showing minimal re-identification risk. Limited data sets and data use agreements can support specific research or operations with reduced identifiers.

Managing ePHI Compliance

Build a risk-based program

• Inventory systems, data flows, and vendors that create, receive, maintain, or transmit ePHI.
• Perform a formal risk analysis; prioritize remediation with a written risk management plan.
• Appoint privacy and security leadership with authority to enforce policies.

Operationalize policies and controls

• Adopt minimum necessary access and role-based permissions; review quarterly.
• Enforce multi-factor authentication, strong passwords, and session timeouts.
• Standardize secure configurations and timely patching for servers, endpoints, and medical devices.
• Implement secure backups, test restorations, and protect keys and backup media.

Govern vendors and data sharing

• Execute business associate agreements and assess vendor controls regularly.
• Use secure, auditable exchange methods for EDI, APIs, and file transfers.
• Sanitize test and analytics data or apply de-identification before secondary use.

Monitor, detect, and respond

• Centralize logs, enable alerts for anomalous access, and review audit trails.
• Run phishing simulations and ongoing workforce training tailored to job roles.
• Maintain a documented incident response playbook and practice it with tabletop exercises.

Sustain compliance

• Conduct periodic evaluations against policies, risks, and regulatory updates.
• Keep decision records showing why selected safeguards are reasonable and appropriate.

Ensuring ePHI Confidentiality

Confidentiality safeguards prevent unauthorized viewing or disclosure of ePHI. Layer controls so that a single failure does not expose data.

Protect data at rest and in motion

• Encrypt databases, file systems, and backups; manage keys securely and rotate them.
• Use TLS for all network traffic; prefer secure messaging over standard SMS; encrypt email containing ePHI.
• Segment networks and restrict lateral movement with firewall rules and zero-trust access.

Harden identities, endpoints, and apps

• Enforce multi-factor authentication and least-privilege roles across systems.
• Apply mobile device management to BYOD; require screen locks and full-disk encryption.
• Use application allowlisting, EDR, and rapid patching to reduce exploit windows.

Strengthen data integrity and visibility

• Implement data integrity controls such as checksums and write-once storage for critical logs.
• Deploy DLP to monitor and block unauthorized transfers via email, web, or removable media.
• Review access logs and alerts daily; investigate anomalies promptly.

Minimize and anonymize when possible

• Collect only what you need; redact or tokenize identifiers for non-clinical uses.
• Apply de-identification for research and analytics when feasible to reduce risk surface.

Conclusion

ePHI is PHI in electronic form, and it triggers specific HIPAA Security Rule duties alongside the HIPAA Privacy Rule. By knowing what counts as ePHI, who is regulated, and which safeguards matter most, you can design a risk-based program that protects confidentiality, preserves integrity, and ensures availability across all systems and transmissions.

FAQs

What information qualifies as electronic protected health information?

Any individually identifiable health information in electronic form that relates to a person’s health status, care, or payment qualifies as ePHI when handled by a covered entity or business associate. Examples include names linked to diagnoses, lab results in an EHR, imaging files, claim records, device serial numbers associated with a patient, IP addresses tied to a portal account, and biometric identifiers like fingerprints or voiceprints.

How does HIPAA define ePHI?

HIPAA defines ePHI as protected health information that is transmitted or maintained in electronic media. The HIPAA Privacy Rule defines what counts as PHI, and when that PHI exists electronically, the HIPAA Security Rule requires safeguards to protect its confidentiality, integrity, and availability.

What are the security requirements for ePHI?

You must implement administrative, physical, and technical safeguards that are reasonable and appropriate for your risks. Core requirements include risk analysis and management, workforce training, business associate oversight, facility and device protections, access controls with strong authentication, audit logging, data integrity controls, and encryption for electronic media transmission and storage.

How is ePHI different from PHI?

PHI covers identifiable health information in any form—paper, oral, or electronic. ePHI is the electronic subset of PHI. Both are protected by the HIPAA Privacy Rule, but only ePHI is directly subject to the HIPAA Security Rule’s technical, physical, and administrative safeguards.