ePHI and PHI Under the HIPAA Privacy Rule: A Practical Guide

Defining Protected Health Information

Protected Health Information (PHI) is individually identifiable health information created, received, maintained, or transmitted by a HIPAA covered entity or its business associate. It relates to a person’s past, present, or future physical or mental health, the provision of care, or payment for care, in any form or medium.

What counts as PHI

PHI is “identifiable” when it can reasonably reveal who the person is. HIPAA lists 18 identifiers that make health information PHI when attached to clinical, billing, or plan data:

• Names
• Geographic subdivisions smaller than a state (e.g., street address, city, ZIP code)
• All elements of dates (except year) tied to an individual (e.g., birth, admission, discharge, death) and ages over 89
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate or license numbers
• Vehicle identifiers and license plate numbers
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (e.g., fingerprints, voiceprints)
• Full-face photographs and comparable images
• Any other unique identifying number, characteristic, or code

What is not PHI

De-identified data is not PHI. HIPAA recognizes two de-identification methods: Safe Harbor (removing all 18 identifiers) and Expert Determination (a qualified expert certifies very low re-identification risk). A “limited data set” excludes most direct identifiers and may be used for research, public health, or operations under a data use agreement, but it remains PHI.

Employment records a covered entity holds in its role as an employer and education records protected by FERPA are not PHI. Health information privacy obligations may still apply under other laws or contracts.

Differentiating ePHI from PHI

Electronic Protected Health Information (ePHI) is simply PHI in electronic form—created, stored, received, or transmitted electronically. All ePHI is PHI, but not all PHI is electronic; paper and oral PHI are still protected by the HIPAA Privacy Rule.

Common forms of ePHI

• Electronic health records, patient portals, e-prescribing systems, and imaging archives
• Billing platforms, claims systems, and health plan portals
• Emails, secure messages, texts, and telehealth recordings
• Cloud backups, mobile devices, removable media, and logs that contain identifiers

Why the distinction matters

The Privacy Rule governs how PHI—including ePHI—may be used and disclosed. The HIPAA Security Rule specifically requires Administrative, Physical, and Technical Safeguards for ePHI to ensure confidentiality, integrity, and availability.

HIPAA Privacy Rule Standards

Permitted uses and disclosures without authorization

• Treatment, payment, and health care operations (TPO)
• Disclosures to the individual, and certain incidental disclosures when safeguards and the minimum necessary standard are in place
• Public interest and legal purposes (e.g., required by law, public health reporting, health oversight, judicial and law enforcement requests, averting serious threats, workplace injury and workers’ compensation, certain research with appropriate approvals)

When authorization is required

• Most marketing uses, sale of PHI, and sharing psychotherapy notes (with narrow exceptions)
• Other non-TPO uses not otherwise permitted or required by law

Minimum necessary principle

Outside of treatment, you must limit PHI to the minimum necessary to accomplish the purpose. Use role-based access, defined workflows, and documented criteria for routine requests; apply case-by-case review for non-routine disclosures.

Notice, verification, and accountability

• Provide a clear Notice of Privacy Practices describing uses, rights, and complaint channels
• Verify requestors’ identities and authority before disclosing PHI
• Execute business associate agreements (BAAs) before a vendor creates, receives, maintains, or transmits PHI

Safeguarding PHI and ePHI

Protecting PHI is both a privacy and security obligation. Policies must govern who may see PHI, for what purpose, and how it is protected across its lifecycle—from collection to secure disposal.

Foundational safeguards for all PHI

• Administrative Safeguards: policies, training, sanctions, and standard operating procedures
• Physical Safeguards: secure facilities, locked storage, workstation placement, visitor controls, and shred/secure disposal
• Technical Safeguards: access controls, authentication, audit trails, and strong transmission protections for ePHI

Practical steps for paper and verbal PHI

• Use clean desk policies, cover sheets, and “need-to-know” access
• Position monitors and printers to prevent shoulder-surfing; retrieve printouts promptly
• Conduct privacy rounds and reinforce etiquette for conversations containing PHI

Individual Rights Under HIPAA

HIPAA gives people meaningful control over their PHI, strengthening health information privacy and transparency.

• Right of access: obtain copies of PHI, including ePHI in the format requested if readily producible, or by secure electronic transmission to a designated third party; charge only reasonable, cost-based fees
• Right to request amendments: ask to correct or add to records; denials must be justified and allow a statement of disagreement
• Right to request restrictions: limit certain disclosures; providers must honor a restriction to a health plan when the individual pays out-of-pocket in full for the item or service
• Right to confidential communications: receive communications by alternative means or locations
• Right to an accounting of certain disclosures: track and disclose non-TPO disclosures as required
• Right to receive a Notice of Privacy Practices and to file complaints without retaliation

Compliance Requirements for Covered Entities

Covered entities—health care providers, health plans, and health care clearinghouses—and their business associates must implement a documented compliance program tailored to their risks and operations.

Core program elements

• Assign a Privacy Official and a Security Official with defined authority
• Conduct an enterprise-wide risk analysis and manage identified risks on an ongoing basis
• Adopt policies and procedures for the Privacy Rule and HIPAA Security Rule; review and update regularly
• Train the workforce initially and periodically; apply sanctions for violations
• Execute and manage BAAs; vet vendors’ security and privacy practices
• Maintain documentation and required logs; retain records for at least six years from creation or last effective date
• Prepare for incidents: investigate, mitigate, and provide breach notifications without unreasonable delay, consistent with legal thresholds
• Coordinate HIPAA with other laws (e.g., state privacy, 42 CFR Part 2) and organizational policies

Implementing Security Measures for ePHI

The HIPAA Security Rule requires Administrative, Physical, and Technical Safeguards for ePHI. “Addressable” does not mean optional; you must implement or document a reasonable alternative that achieves equivalent protection.

Administrative Safeguards

• Risk analysis and risk management with defined acceptance criteria
• Workforce security: background checks, role-based access, and termination procedures
• Access management: least privilege, periodic access reviews, and segregation of duties
• Security awareness and phishing-resistant training; simulated exercises
• Contingency planning: data backup, disaster recovery, and emergency mode operations; test and revise
• Incident response: detection, triage, containment, forensics, notification, and lessons learned
• Vendor and cloud governance: BAAs, shared-responsibility matrices, and evidence reviews
• Ongoing evaluation: audits, penetration tests, and remediation tracking

Physical Safeguards

• Facility access controls with visitor logs and environmental protections
• Workstation security: placement, privacy filters, automatic screen locks
• Device and media controls: inventory, encryption, secure re-use, and certified destruction
• Chain of custody for portable media and hardware repairs

Technical Safeguards

• Access controls: unique user IDs, multi-factor authentication, emergency access, automatic logoff
• Encryption: strong encryption for data at rest and in transit; robust key management
• Audit controls: centralized logging, immutable storage, and regular review via SIEM
• Integrity protections: hashing, digital signatures, and change monitoring
• Transmission security: TLS for all external traffic, VPN or private connectivity for partners, email encryption
• Endpoint and network security: EDR, MDM for mobile devices, patch/vulnerability management, network segmentation, and DLP

Practical implementation checklist

• Map where ePHI lives and flows; eliminate unnecessary collection and retention
• Standardize secure configurations; automate compliance checks and patching
• Use role-based templates for provisioning; review high-risk access monthly
• Protect identities with phishing-resistant MFA and conditional access
• Validate backups with periodic restores; document recovery time and point objectives
• Test incident and breach playbooks through tabletop and live exercises

Summary and next steps

PHI defines the scope of health information privacy; ePHI determines the security controls you must implement. Anchor your program in risk analysis, minimum necessary use, and the Security Rule’s Administrative, Physical, and Technical Safeguards. Build repeatable processes, verify vendor protections, and continuously test your defenses.

FAQs

What types of information does the HIPAA Privacy Rule protect?

The Privacy Rule protects PHI—individually identifiable health information connected to care or payment and linked to identifiers like names, dates, or account numbers. PHI can be electronic, paper, or oral. De-identified data is not PHI, while a limited data set remains PHI but may be used under a data use agreement.

How is ePHI different from PHI?

ePHI is PHI in electronic form—such as EHR entries, claim files, emails, backups, and device logs that include identifiers. The Privacy Rule covers both PHI and ePHI, but the HIPAA Security Rule specifically mandates safeguards for ePHI’s confidentiality, integrity, and availability.

What rights do individuals have over their PHI?

Individuals can access and receive copies of their PHI (including in electronic form), request amendments, ask for restrictions and confidential communications, obtain an accounting of certain disclosures, receive a Notice of Privacy Practices, and file complaints without retaliation.

How must covered entities secure ePHI?

Covered entities must implement Administrative, Physical, and Technical Safeguards proportionate to risk. Core controls include risk analysis and management, least-privilege access with MFA, encryption in transit and at rest, audit logging and monitoring, secure device and media handling, tested backups and recovery, workforce training, and vetted BAAs for vendors handling ePHI.