ePHI vs. Non‑ePHI: Clear Definitions, Examples, and Compliance Requirements

Electronic Protected Health Information Definitions

Electronic protected health information (ePHI) is Protected Health Information that is created, received, maintained, or transmitted in electronic form by Covered Entities or their Business Associates. PHI itself is any individually identifiable health information linked to a person’s past, present, or future health status, care, or payment for care.

Think of ePHI as a format distinction: when PHI exists in systems or media like databases, email, cloud storage, or mobile devices, it is ePHI. If the same information is printed or spoken, it is still PHI but no longer electronic.

What counts as “electronic”

• Data at rest in EHRs, clinical systems, billing platforms, data warehouses, or cloud repositories.
• Data in motion over networks: emails, secure messaging, APIs, SFTP, and telehealth streams.
• Data on devices and media: laptops, tablets, smartphones, servers, backups, USB drives, and removable media.

Identifiers that make health data PHI

When health-related content is combined with direct or indirect identifiers—such as name, address, email, phone, medical record number, account numbers, full-face photos, device IDs, or IP addresses—it becomes PHI. If this PHI is in electronic form, it is ePHI.

Non-electronic PHI Overview

Non-electronic PHI is PHI in paper or oral form. It includes printed records, hand-written notes, labels, wristbands, postal mail, and conversations. While the HIPAA Security Rule governs ePHI, the HIPAA Privacy Rule requires reasonable safeguards for PHI in any form, including non-electronic.

You must still prevent unauthorized viewing, handling, or disclosure of non-electronic PHI through practical, documented measures that fit your operations and risks.

Common non-electronic forms

• Paper charts, printed lab reports, consent forms, and mailed explanations of benefits.
• Spoken PHI during consultations, shift handoffs, or phone calls.
• Physical media such as x‑ray films, pathology slides, or labeled specimen containers.

Examples of ePHI

• Entries in an EHR or practice management system, including demographics and problem lists.
• Electronic claims, eligibility files, and remittance data exchanged with payers.
• Patient portal messages, telehealth recordings, and secure chat transcripts.
• E‑prescriptions, e‑referrals, and attached digital images (e.g., wound photos).
• Spreadsheets tracking patients, care registries, or quality dashboards stored on shared drives or cloud storage.
• Email with patient identifiers or clinical details, whether encrypted or not.
• Server backups, audit logs, and device telemetry that include identifiers tied to health information.
• Data from a health app or wearable when the app vendor acts as a Business Associate for a Covered Entity.

Examples of Non-ePHI

• Printed visit summaries, after-visit instructions, and discharge packets.
• Paper faxes of lab results or radiology reports.
• Handwritten notes from clinicians, rounding lists, and paper sign-in sheets with identifiers.
• Verbal disclosures during care coordination or insurance appeals.
• Patient wristbands, specimen labels, mailing labels, or prescription pads bearing identifiers.
• X‑ray films, CDs handed to patients with images (once printed or provided on physical media without electronic transmission under your control, treat the physical item accordingly).

HIPAA Compliance for ePHI

The HIPAA Security Rule requires a risk-based program built on Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Covered Entities and Business Associates must implement policies and procedures, document decisions, and review them periodically.

Administrative Safeguards

• Perform and update a risk analysis; implement risk management plans with priorities and timelines.
• Assign security responsibility; define workforce roles, access approvals, and sanctions.
• Train the workforce on security and privacy; enforce the minimum necessary standard.
• Establish contingency planning: data backup, disaster recovery, and emergency operations.
• Manage Business Associates with written agreements and ongoing oversight.
• Develop incident response and breach notification procedures with clear decision trees.

Physical Safeguards

• Facility access controls, visitor management, and environmental protections for server rooms.
• Workstation use and security standards: privacy screens, auto‑lock, and secure locations.
• Device and media controls: inventories, encryption before reuse, secure destruction, and chain‑of‑custody.

Technical Safeguards

• Access controls with unique user IDs, role-based access, and strong authentication (e.g., MFA).
• Audit controls: centralized logging, alerting, and regular review of access and admin activity.
• Integrity protections: hashing, digital signatures, and change monitoring to prevent improper alteration.
• Transmission security: encryption in transit; secure protocols for APIs, email gateways, and VPNs.
• Encryption at rest for servers, databases, and endpoints; key management and device encryption enforcement.

Program governance

• Policies, procedures, and documentation to show how each Security Rule standard is met.
• Periodic evaluations, penetration tests or security assessments, and remediation tracking.
• Data lifecycle management: collection, use, sharing, retention, and disposal of ePHI.

Compliance Considerations for Non-ePHI

For paper and oral PHI, apply “reasonable safeguards” under the HIPAA Privacy Rule and parallel state laws. Even though the Security Rule targets ePHI, similar control themes still apply in practical terms.

Reasonable safeguards in practice

• Physical: locked rooms and cabinets, badge access, clean‑desk policies, and visitor escorting.
• Administrative: policies for minimum necessary use, call‑back verification, and mailroom QA checks.
• Operational: cover sheets for faxes, no‑read‑back zones, and controlled destruction (cross‑cut shredding, secure bins).

Workforce and vendor management

• Train staff on handling, transporting, and disposing of paper PHI and on appropriate conversations in public areas.
• Execute and monitor Business Associate Agreements covering PHI in any form handled by vendors (e.g., storage, shredding, courier services).

Incident handling

• Establish procedures for lost paper records, misdirected mail, or overheard disclosures, including risk assessments and notifications when required.
• Maintain a record of disclosures and document mitigation steps for each incident.

Importance of Differentiating ePHI and Non-ePHI

Distinguishing ePHI from non‑electronic PHI helps you apply the right safeguards, budget wisely, and respond correctly to incidents. It clarifies which HIPAA standards apply, where encryption can provide safe harbor, and how to structure vendor contracts and audits.

How the distinction informs your program

• Risk management: identify systems and physical locations where PHI resides to prioritize controls.
• Control selection: apply Technical Safeguards to ePHI systems; emphasize physical and administrative measures for paper and oral PHI.
• Incident response: tune playbooks for lost devices, misdirected emails, misrouted faxes, or overheard conversations.
• Data governance: set retention and secure disposal rules for each medium to minimize exposure.

Summary

ePHI is PHI in electronic form and is governed by the HIPAA Security Rule’s Administrative, Physical, and Technical Safeguards. Non‑electronic PHI remains fully protected under the HIPAA Privacy Rule through reasonable safeguards. Knowing the difference ensures your policies, technologies, and vendor agreements protect patients and keep your organization compliant.

FAQs.

What types of information qualify as ePHI?

Any individually identifiable health information held or transmitted electronically by a Covered Entity or Business Associate is ePHI. That includes clinical notes in an EHR, billing files, portal messages, telehealth audio/video, emails with identifiers, digital images, device logs tied to patients, and backups containing PHI.

How does HIPAA compliance differ for ePHI and Non-ePHI?

ePHI is subject to the HIPAA Security Rule, which mandates Administrative, Physical, and Technical Safeguards and documented risk management. Non‑electronic PHI is not covered by the Security Rule but must still be protected under the HIPAA Privacy Rule using reasonable safeguards such as locked storage, strict handling procedures, and workforce training.

What safeguards are required for electronic PHI?

You need Administrative Safeguards (risk analysis, training, contingency planning, BA oversight), Physical Safeguards (facility access, workstation security, device/media controls), and Technical Safeguards (access control, audit logging, integrity controls, transmission security, and encryption). Policies, procedures, and periodic evaluations are required to demonstrate compliance with the HIPAA Security Rule.

What are examples of information that is not considered ePHI?

PHI that is not in electronic form—such as paper records or spoken information—is not ePHI (though it is still PHI). Information that is not PHI at all under HIPAA includes properly de‑identified data, education records under FERPA, employment records held by an employer, and consumer health data collected by apps that are not acting for a Covered Entity or Business Associate. Other laws may still apply, but it is not ePHI under HIPAA.