ePHI Explained: What Counts—and What Does Not—Under HIPAA

Definition of Electronic Protected Health Information

Under the Health Insurance Portability and Accountability Act (HIPAA), Electronic Protected Health Information (ePHI) is individually identifiable health information that is created, received, maintained, or transmitted in electronic form by a covered entity or a business associate. It is a subset of Protected Health Information (PHI) that specifically lives in electronic media, such as Electronic Health Records (EHRs), patient portals, cloud storage, and email.

Information is ePHI when it both identifies (or can reasonably identify) an individual and relates to the person’s past, present, or future health status, care, or payment for care—and it is handled electronically by a regulated organization. Paper-only or purely oral information is still PHI, but it is not ePHI unless it is digitized or stored/transmitted electronically.

What qualifies as ePHI?

• Data that can identify a person and concerns health, care delivery, or payment.
• Information created or stored in electronic systems (EHRs, billing systems, imaging archives, backups).
• Information transmitted over networks (email, secure messaging, APIs) when a digital record exists.

Common examples

• EHR chart notes, problem lists, medications, and lab results.
• Insurance claims, eligibility checks, and remittance files.
• Digital images and DICOM headers, patient emails, and portal messages.
• Spreadsheets or logs containing medical record numbers or other identifiers.

HIPAA Privacy and Security Rules

The HIPAA Privacy Rule governs when PHI/ePHI may be used or disclosed and grants individual rights (such as access, amendment, and accounting of disclosures). It embeds principles like “minimum necessary,” requiring you to limit uses and disclosures to what’s needed for treatment, payment, and health care operations—or obtain an authorization when required.

The HIPAA Security Rule sets the standards for safeguarding ePHI through administrative, physical, and technical safeguards. It requires a risk analysis and risk management process, workforce training, contingency plans and backups, facility and device protections, and technical controls such as unique user IDs, access controls, audit logs, integrity protections, and transmission security. Encryption is “addressable” (context-driven) but strongly recommended to reduce breach risk.

How the rules work together

• Privacy Rule: what ePHI you may use/disclose and why.
• Security Rule: how you must protect ePHI you create, receive, maintain, or transmit.
• Business associate agreements extend both rules’ responsibilities to service vendors handling ePHI.

Identifiers Included in ePHI

ePHI becomes individually identifiable when it includes one or more of the following 18 identifiers (or when such identifiers could reasonably re-identify the person). These are also the Safe Harbor identifiers used in HIPAA De-Identification Standards.

1. Names.
2. Geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code, and similar geocodes).
3. All elements of dates (except year) directly related to an individual; ages over 89 and any elements indicating such age.
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plate numbers.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP address numbers.
16. Biometric identifiers (for example, finger and voice prints).
17. Full-face photographic images and comparable images.
18. Any other unique identifying number, characteristic, or code.

Exclusions from ePHI

Some information that may feel “health-related” is not ePHI under HIPAA because it falls outside HIPAA’s scope or has been sufficiently de-identified.

• Education records and treatment records covered by FERPA.
• Employment records held by a covered entity in its role as employer (e.g., HR files).
• Information that a covered entity or business associate has properly de-identified under HIPAA.
• Consumer health data collected by apps, wearables, or platforms that are not covered entities or business associates and are not acting on their behalf.
• Information about individuals deceased for more than 50 years (no longer PHI under HIPAA).
• Aggregated statistics that cannot reasonably identify an individual.

Important nuance

If the same health information is handled by a covered entity or its business associate in electronic form, it is ePHI—even if a similar copy held only by a consumer app would not be.

Importance of ePHI Compliance

Strong ePHI compliance protects patients, maintains trust, and reduces operational and legal risk. Regulators can impose corrective action plans and significant civil penalties for violations, and organizations face reputational damage and disruption from breaches or ransomware.

Core practices you should implement

• Perform a documented risk analysis and implement risk-based controls.
• Apply “minimum necessary” access, role-based permissions, and multi-factor authentication.
• Encrypt ePHI at rest and in transit; segment networks and manage endpoints and mobile devices.
• Monitor with audit logs, alerts, and regular reviews; test backups and incident response plans.
• Train your workforce; manage vendors with business associate agreements and due diligence.

De-Identification of Health Information

De-identification removes or obfuscates identifiers so that the information is no longer PHI/ePHI. HIPAA recognizes two compliant methods.

Safe Harbor method

• Remove the 18 identifiers listed above, and
• Ensure no actual knowledge remains that the information could identify the individual (including small-population and free-text risks).

Expert Determination method

A qualified expert applies statistical or scientific principles to determine, and document, that the risk of re-identification is very small, with controls to prevent re-identification.

Limited data sets vs. de-identified data

A limited data set excludes many direct identifiers but can retain certain elements (e.g., dates, some geography). It remains PHI and requires a data use agreement. Fully de-identified data under Safe Harbor or Expert Determination is not PHI/ePHI.

Re-identification controls

If you assign a code to allow re-linkage, it must not be derived from removed identifiers, and you must keep the re-identification key secure and separate.

Roles of Covered Entities and Business Associates

Covered entities are health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. Business associates are vendors or partners that create, receive, maintain, or transmit ePHI on behalf of covered entities (their subcontractors are also business associates).

Covered entity responsibilities

• Publish and follow Privacy Rule policies; honor individual rights to access and amend.
• Implement Security Rule safeguards, including risk analysis and workforce training.
• Limit ePHI uses/disclosures to the minimum necessary and monitor access.
• Execute and manage business associate agreements; oversee vendors’ compliance.

Business associate responsibilities

• Comply with applicable HIPAA Security Rule requirements and relevant Privacy Rule provisions.
• Use/disclose ePHI only as permitted by the agreement or law; report incidents and breaches.
• Flow down obligations to subcontractors that handle ePHI.

Key takeaways

• ePHI is PHI in electronic form handled by regulated entities.
• Privacy Rule governs permissible use and disclosure; Security Rule governs protection.
• The 18 identifiers make data “individually identifiable.” Remove them to meet Safe Harbor.
• Some information—like FERPA records, employer HR files, or properly de-identified data—is not ePHI.

FAQs

What information is excluded from ePHI under HIPAA?

Excluded categories include: education records and certain student treatment records covered by FERPA; employment records held by a covered entity in its role as employer; data that a covered entity or business associate has properly de-identified; consumer health data held solely by non-HIPAA apps or devices not acting for a covered entity or business associate; aggregated, non-identifiable statistics; and information about individuals deceased for more than 50 years.

How does de-identification affect ePHI status?

Once information is properly de-identified under HIPAA—either by removing all Safe Harbor identifiers with no residual re-identification risk, or through Expert Determination that documents a very small risk—it is no longer PHI/ePHI and falls outside HIPAA. Note that limited data sets are not de-identified and remain PHI subject to a data use agreement. If de-identified data is later re-linked to an individual, it again becomes PHI/ePHI.

What are the 18 HIPAA identifiers?

The 18 identifiers are: names; geographic subdivisions smaller than a state; all elements of dates (except year) and ages over 89; telephone numbers; fax numbers; email addresses; Social Security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers; device identifiers and serial numbers; web URLs; IP addresses; biometric identifiers; full-face photographic images and comparable images; and any other unique identifying number, characteristic, or code.

How do covered entities handle ePHI compliance?

They conduct a risk analysis and manage risks; implement administrative, physical, and technical safeguards (access controls, encryption, audit logging, backups, facility and device protections); train the workforce; apply minimum necessary practices; monitor and respond to security events; and manage vendors through business associate agreements and oversight. Policies, documentation, and continuous improvement are essential to sustain HIPAA Privacy Rule and HIPAA Security Rule compliance.