ePHI Explained: What Counts as Electronic PHI and How to Protect It

Definition of ePHI

Electronic protected health information (ePHI) is any individually identifiable health information created, received, maintained, or transmitted in electronic form by a covered entity or its business associate. If a data element can identify a person and relates to that person’s past, present, or future health status, care, or payment—and it’s stored or sent electronically—it is ePHI.

The “electronic” part is broad. ePHI spans electronic health records, patient portals, cloud storage, mobile devices, messaging systems, wearables, and backups. HIPAA’s Security Rule requires safeguards for ePHI through administrative, physical, and technical controls, while the Privacy Rule governs how you use and disclose that information.

What is not ePHI

• Data that has been properly de-identified under HIPAA (safe harbor or expert determination).
• Aggregated statistics that cannot identify an individual.
• Employment records held by a covered entity in its role as an employer.

Where ePHI commonly lives

• Electronic health record (EHR) systems and patient portals.
• Billing platforms, e-prescribing tools, clearinghouses, and payer systems.
• Email, secure messaging, telehealth platforms, and VoIP when used for care or payment.
• Cloud services, mobile devices, removable media, logs, and backups.

Examples of Electronic PHI

These examples illustrate how widely ePHI can appear across your environment. Context matters: an identifier becomes ePHI when linked to health information.

• Names, addresses, phone numbers, email addresses, and dates tied to a diagnosis, visit, or claim.
• Medical record numbers, account numbers, certificate/license numbers, and insurance member IDs.
• Device identifiers, serial numbers, IP addresses, and biometric identifiers associated with care.
• Clinical notes, lab results, imaging reports, and prescriptions stored in EHRs or PDFs.
• Patient portal messages, telehealth recordings, and secure chat transcripts discussing treatment.
• Wearable and remote monitoring data (heart rate, glucose readings) when it can identify a person.
• Scheduling data, referrals, authorization records, and payment or claims details.
• Audit logs that include user IDs and patient identifiers, even when the underlying record is not displayed.
• Backups, replicas, and archives containing patient identifiers and clinical content.

Legal Standards and Regulations

HIPAA provides the core legal framework for ePHI. Three rules matter most: the HIPAA Security Rule (Safeguards for ePHI), the Privacy Rule, and the Breach Notification Rule. The HITECH Act strengthened enforcement and clarified responsibilities for business associates handling ePHI.

HIPAA Security Rule

This rule requires a risk-based security program built on administrative, physical, and technical safeguards. You must perform a risk assessment, implement reasonable and appropriate Access Controls, establish audit and integrity controls, authenticate users, and protect transmissions. Encryption Standards are “addressable,” meaning you implement them when reasonable and appropriate—or document why an alternative measure manages the risk.

HIPAA Privacy Rule

The Privacy Rule governs permitted uses and disclosures, individual rights (including access and amendments), and the minimum necessary standard. It defines PHI, applies to covered entities and business associates, and intersects with the Security Rule whenever PHI is electronic.

Breach Notification Rule

When a breach of unsecured ePHI occurs, you must provide Data Breach Notification without unreasonable delay and no later than 60 calendar days after discovery. You notify affected individuals, the Department of Health and Human Services (HHS), and, for large incidents, the media. Business associates must notify covered entities of breaches they experience.

Other applicable laws

Depending on context, additional laws may apply, such as 42 CFR Part 2 for substance use disorder records, health-specific state privacy and security statutes, and general state breach-notification laws. Where laws differ, you follow the most protective requirements that apply to your operations.

Risks to ePHI

Threats to ePHI span people, process, and technology. Understanding these risks helps you target Technical Security Measures and administrative controls where they matter most.

• Phishing, credential theft, and business email compromise that lead to unauthorized access.
• Ransomware, data exfiltration, and destructive malware targeting EHRs and backups.
• Cloud misconfigurations (open storage, overbroad roles) exposing ePHI at scale.
• Unpatched systems, vulnerable VPNs, and insecure APIs enabling lateral movement.
• Lost or stolen laptops and mobile devices lacking full-disk encryption and remote wipe.
• Insider threats, from accidental mis-sends to intentional misuse of records.
• Third-party and supply-chain failures, including business associates with weak controls.
• Shadow IT and unsanctioned file sharing or messaging tools used for patient communications.
• Poor media sanitization and improper disposal of drives, copiers, and removable media.

Strategies to Protect ePHI

1) Build on a Risk Assessment

Start with a documented Risk Assessment that inventories systems, maps data flows, identifies threats and vulnerabilities, and rates likelihood and impact. Translate results into a risk treatment plan with assigned owners, timelines, and success metrics. Reassess after major changes or at least annually to keep safeguards aligned with evolving risks.

2) Strengthen Access Controls

• Use unique user IDs, least privilege, and role- or attribute-based access models.
• Enable multi-factor authentication (prefer phishing-resistant factors) for all remote and privileged access.
• Automate provisioning/deprovisioning, enforce strong passwords, and set session timeouts and automatic logoff.
• Adopt privileged access management with just-in-time elevation and detailed audit trails.

3) Apply Encryption Standards and Key Management

• Encrypt ePHI in transit (TLS 1.2/1.3) and at rest (e.g., AES-256 full-disk/database encryption).
• Use validated cryptographic modules (e.g., FIPS 140-2/140-3) where feasible.
• Centralize key management, rotate keys regularly, and restrict access to key material.
• Secure email by enforcing TLS and use secure messaging for clinical communications.

4) Deploy Technical Security Measures

• Harden endpoints and servers, maintain a rapid patch program, and run EDR/XDR across devices.
• Segment networks, protect internet-facing services with firewalls and web application firewalls, and restrict east-west traffic.
• Enable comprehensive logging, retain audit logs, and monitor them via a SIEM with alerting and response playbooks.
• Implement data loss prevention, malware protection, and secure configuration baselines for cloud services.

5) Protect the Data Life Cycle

• Validate data integrity with hashing and change monitoring, and reconcile logs to detect tampering.
• Apply retention schedules, track media, and sanitize or destroy devices before reuse or disposal.
• Use immutable, offline, or air-gapped backups; test restores regularly to meet recovery objectives.

6) Manage Vendors and Business Associates

• Execute business associate agreements that define safeguards for ePHI and incident reporting duties.
• Perform due diligence and ongoing oversight: security questionnaires, evidence reviews, and corrective actions.
• Clarify shared-responsibility models with cloud and telehealth providers and verify their controls.

7) Prepare People and Processes

• Deliver security awareness training focused on phishing, data handling, and incident reporting.
• Run tabletop exercises and technical drills for incident response and Data Breach Notification.
• Maintain tested business continuity and disaster recovery plans aligned to clinical priorities.

Compliance Requirements

Administrative safeguards

• Security management process: perform a Risk Assessment and implement risk mitigation.
• Assign a security official; define workforce security, information access management, and sanctions.
• Security awareness and training for all workforce members, including phishing education.
• Contingency planning: data backup, disaster recovery, and emergency mode operations.
• Periodic evaluation of your program’s effectiveness and updates after environmental or operational changes.
• Business associate management with executed agreements and documented oversight.
• Policies and procedures documented and retained for at least six years from last effective date.

Physical safeguards

• Facility access controls and visitor management for areas housing systems with ePHI.
• Workstation use and security standards for clinical areas and remote work.
• Device and media controls: inventory, movement tracking, backup, reuse, and secure disposal.

Technical safeguards

• Access Controls: unique IDs, emergency access procedures, automatic logoff, and encryption/decryption.
• Audit controls that capture, retain, and review access and activity in systems with ePHI.
• Integrity controls to prevent and detect improper alteration or destruction.
• Person or entity authentication to verify users and devices.
• Transmission security to protect ePHI over networks with strong encryption and secure protocols.

Breach response and notification

• Maintain an incident response plan with roles, escalation paths, forensics, and communication steps.
• Assess incidents to determine whether a breach occurred and whether ePHI was compromised.
• Provide notifications without unreasonable delay and no later than 60 days from discovery, following HIPAA requirements.

Best Practices for ePHI Security

• Adopt a zero trust mindset: verify explicitly, enforce least privilege, and assume breach.
• Use phishing-resistant MFA for all remote access and administrative accounts.
• Automate configuration management and continuous vulnerability scanning with risk-based patch SLAs.
• Harden cloud identities and roles; regularly review permissions and eliminate standing admin rights.
• Implement microsegmentation for clinical systems and isolate backups from production networks.
• Instrument comprehensive logging and map detections to known attack techniques.
• Validate Encryption Standards and key lifecycles; monitor for encryption failures and weak ciphers.
• Test disaster recovery, run restore drills, and maintain offline or immutable backup copies.
• Apply secure software development practices and monitor third-party components.
• Regularly re-certify user access, especially for high-risk systems and shared mailboxes.
• Document decisions where “addressable” safeguards are not implemented and track compensating controls.

Conclusion

ePHI includes any identifiable health information in electronic form, and protecting it requires a risk-driven program grounded in the HIPAA Security Rule. By combining strong Access Controls, sound Encryption Standards, vigilant monitoring, and disciplined governance, you can reduce exposure, meet compliance obligations, and keep patient trust at the center of your care.

FAQs

What information qualifies as ePHI?

Any electronic data that identifies a person and relates to health status, care, or payment is ePHI. That includes identifiers like names, MRNs, account numbers, contact information, device IDs, and IP addresses when linked to diagnoses, clinical notes, lab results, prescriptions, scheduling, or claims. Properly de-identified data and employment records held in an employer capacity are not ePHI.

How is ePHI protected under HIPAA?

HIPAA’s Security Rule requires administrative, physical, and technical safeguards tailored by a Risk Assessment. Core protections include Access Controls, audit and integrity controls, authentication, and secure transmission. Encryption Standards are addressable but widely expected. The Privacy Rule sets rules for use and disclosure, and the Breach Notification Rule governs notifications if unsecured ePHI is compromised.

What are common threats to ePHI?

Frequent threats include phishing and credential theft, ransomware and data exfiltration, misconfigured cloud services, unpatched systems, lost or stolen mobile devices, insider misuse, and weaknesses in business associates. Shadow IT, insecure APIs, and poor media sanitization also expose ePHI.

How can organizations ensure ePHI compliance?

Begin with a thorough Risk Assessment and implement safeguards aligned to identified risks. Enforce strong Access Controls and Technical Security Measures, encrypt data in transit and at rest, train the workforce, execute business associate agreements, document policies and decisions, monitor continuously, and maintain tested incident response and Data Breach Notification processes.