ePHI Explained: What Qualifies, What Doesn’t, and Common Non-Examples

Definition of Electronic Protected Health Information

Electronic Protected Health Information (ePHI) is individually identifiable health information that is created, received, maintained, or transmitted in electronic media by a Covered Entity or its Business Associate. It relates to an individual’s past, present, or future physical or mental health or condition, the provision of health care, or payment for that care.

In practical terms, ePHI is the electronic subset of Protected Health Information (PHI). If the same data exists only on paper, it is still PHI but not ePHI. When you handle ePHI, HIPAA Compliance obligations—especially the Security Rule—apply to how you safeguard confidentiality, integrity, and availability.

Covered Entities include health plans, most health care providers that conduct standard electronic transactions, and health care clearinghouses. Business Associates are vendors or partners that create, receive, maintain, or transmit ePHI on behalf of a Covered Entity. Both are responsible for protecting Health Information Privacy.

Electronic media includes EHR systems, databases, cloud storage, servers, laptops, mobile devices, removable drives, email, secure messaging, patient portals, and recorded telehealth platforms. Employment records and FERPA-protected educational records are expressly excluded from HIPAA’s PHI definition, even when health-related.

Examples of Electronic Protected Health Information

You encounter ePHI whenever identifiable health information is in digital form within a health care or health plan context. Common examples include:

• EHR entries, problem lists, allergies, immunizations, lab results, and care plans stored in an electronic system.
• Digital imaging (e.g., DICOM X‑rays, MRIs, ultrasounds) linked to a patient’s identity or medical record number.
• Telehealth notes, chat transcripts, secure messages, portal inboxes, and recorded virtual visits that identify a patient.
• E‑prescriptions, e‑referrals, electronic prior authorizations, and eligibility/claims files that include identifiers.
• Billing records, remittance advices, and payment histories held by a provider or health plan about an identifiable individual.
• Device and network identifiers (e.g., patient account numbers, IP addresses, device IDs) when tied to care, treatment, or payment.
• Wearable or home‑monitoring data integrated into a Covered Entity’s system or processed by a Business Associate for care management.
• Backups, audit logs, and metadata containing identifiers about an individual’s diagnosis, treatment, or coverage.

Common Non-Examples of ePHI

Not every piece of digital information related to health is ePHI. Typical non-examples include:

• Non-Electronic Health Records that only ever exist on paper (these are PHI, but not ePHI).
• Properly de-identified datasets where identifiers have been removed or risk is determined to be very small.
• Aggregated statistics that cannot be used to identify an individual (for example, clinic-wide infection rates with no identifiers).
• Consumer fitness or wellness app data handled entirely outside a Covered Entity/Business Associate relationship.
• Employment records maintained by an employer in its role as employer (e.g., FMLA certifications, drug test results in HR files).
• Educational records protected by the Family Educational Rights and Privacy Act (FERPA) that are maintained by a school.

Context matters. The same data element—like an email address—can become ePHI if it is linked to diagnosis, treatment, or payment inside a Covered Entity’s system.

De-Identified Health Information and Its Status

Under HIPAA, information that has been properly de-identified is not PHI and therefore not ePHI. De-Identification can occur via two recognized methods: Expert Determination (a qualified expert finds the risk of re-identification to be very small and documents the analysis) or Safe Harbor (removal of specified identifiers).

Safe Harbor requires removing direct and indirect identifiers, commonly summarized as: names; geographic details below the state level; all elements of dates (except year) related to an individual; phone and fax numbers; email addresses; Social Security, medical record, and account numbers; certificate/license numbers; vehicle and device identifiers/serials; URLs and IP addresses; biometric identifiers; full-face photos and comparable images; and any other unique identifying number, characteristic, or code.

Be careful not to confuse a Limited Data Set with de-identified data. Limited Data Sets still contain certain quasi-identifiers (for example, dates or city-level geography) and remain PHI, permitted for specific purposes under a data use agreement.

Employment and Educational Records Exclusions

HIPAA excludes employment records held by a Covered Entity in its role as employer. If you administer HR files—like workplace injury logs, immunization status for credentialing, disability accommodations, or FMLA paperwork—those records are not PHI/ePHI under HIPAA, even though they are health-related. Other laws may still apply.

FERPA governs student educational records, including most school health clinic records maintained by an educational institution. Because FERPA applies, those records are not PHI/ePHI under HIPAA. However, if a community provider treats a student and stores those records in its own EHR, that provider’s copy is PHI/ePHI and subject to HIPAA Compliance.

When the same information exists in multiple places, the governing rule depends on who holds it and in what capacity: employer (employment record), school (FERPA), or Covered Entity/Business Associate (PHI/ePHI).

Health Information Outside Covered Entities

Health-related data generated or stored entirely outside a Covered Entity/Business Associate context—such as a standalone wellness app, a consumer wearable, or a health content website—typically is not PHI/ePHI. It may be protected by consumer privacy laws or contracts, but not by HIPAA.

If your app or vendor contracts with a provider or health plan as a Business Associate to handle identifiable data for care, payment, or operations, the same data becomes PHI/ePHI while processed under that relationship. The contractual role and purpose—not just the type of data—determine HIPAA applicability.

Because Health Information Privacy expectations vary across settings, map the data flows and actors (Covered Entity, Business Associate, or neither) before deciding how to safeguard the data.

Non-Health Related Data and ePHI Distinctions

Identifiers by themselves—like a name, phone number, or email—are not ePHI unless they are linked to health care delivery, condition, or payment within a Covered Entity/Business Associate environment. Context turns identifiers into Electronic Protected Health Information.

For example, a bank statement showing a card payment to “Main Street Clinic” may be consumer financial data, not ePHI. Inside the clinic’s billing system, the corresponding transaction tied to diagnoses or procedure codes is ePHI. Similarly, a home address in a practice management system becomes ePHI when associated with treatment or payment records.

Summary

• ePHI is PHI in electronic form handled by a Covered Entity or Business Associate for care, payment, or operations.
• Proper de-identification removes data from HIPAA’s PHI scope; Limited Data Sets remain PHI.
• Employment records and FERPA-governed educational records are excluded from HIPAA’s PHI definition.
• Non-Electronic Health Records are PHI but not ePHI; consumer-only app data is usually outside HIPAA unless a BA role exists.

FAQs.

What types of information are classified as ePHI?

Any electronic record that identifies an individual and relates to health status, care provided, or payment—such as EHR notes, lab results, portal messages, claims files, imaging linked to a patient, and audit logs containing identifiers—counts as ePHI when handled by a Covered Entity or Business Associate.

What kinds of records are excluded from ePHI?

Employment records maintained by an employer, FERPA-protected educational records, properly de-identified datasets, and consumer app data outside a Covered Entity/Business Associate context are excluded. Paper-only records are PHI but not ePHI.

How is de-identified health information treated under HIPAA?

Once health information is de-identified using Safe Harbor or Expert Determination, it is no longer PHI/ePHI under HIPAA. Limited Data Sets, which retain certain quasi-identifiers, remain PHI and require a data use agreement.

What distinguishes employment records from ePHI?

It depends on the holder’s role. The same health detail can be an employment record (when kept by an employer for HR purposes) and not PHI/ePHI, yet be ePHI within a provider’s EHR. HIPAA focuses on the context and the entity’s role, not just the content of the record.