ePHI vs. Non‑ePHI: HIPAA Definitions, Practical Examples, and Risks

ePHI Definition

Electronic Protected Health Information (ePHI) is Protected Health Information that a covered entity or business associate creates, receives, maintains, or transmits in electronic form. The medium, not the system, determines its status—if the data is electronic anywhere in its lifecycle, it is ePHI.

ePHI can live in EHR platforms, secure messaging tools, cloud storage, databases, email, backups, and portable media. It includes text, images, audio, video, logs, and metadata when any HIPAA identifier can be tied to a person’s past, present, or future health, care, or payment.

Non-ePHI Definition

Non-ePHI includes two categories: PHI that is not electronic (paper or oral) and information that is not PHI at all. Paper charts, faxes, and verbal disclosures are PHI but not ePHI; they are covered by HIPAA’s Privacy Rule, not the Security Rule.

Data that is not PHI includes properly de-identified datasets, employment records held in an employer role, and education records under FERPA. Consumer wellness data kept outside covered entity workflows is generally not PHI; however, if you share it with a provider or plan, it can become ePHI.

Examples of ePHI

• EHR notes, problem lists, allergies, and care plans tied to patient identifiers.
• Patient portal messages, telehealth chat logs, and video session files stored by a provider.
• Diagnostic images (DICOM), waveforms, and pathology slides linked to a patient.
• e-Prescribing records, medication histories, and pharmacy claims with member IDs.
• Lab results PDFs, HL7/FHIR messages, and CCD/CCDA exports containing identifiers.
• Billing system exports, remittance files, and eligibility checks with names and DOBs.
• Spreadsheets or CSVs with MRNs, email addresses, or phone numbers saved on a laptop.
• Backups, audit logs, and cloud object storage holding any identifiable health data.
• IoT or wearable device feeds routed to a clinic’s system or a business associate’s platform.

Examples of Non-ePHI

PHI that is not electronic

• Printed face sheets, consent forms, and mailed explanation-of-benefits statements.
• Verbal handoffs, phone updates to family with permission, and in-person consultations.
• Paper sign-in sheets and whiteboard schedules used within reasonable privacy practices.
• Analog films or microfiche stored in a locked cabinet with facility controls.

Information that is not PHI

• De-identified health datasets meeting HIPAA de-identification standards.
• Aggregated statistics with no individual identifiers (e.g., clinic-level trends).
• Employment records kept by an employer (e.g., FMLA paperwork in HR systems).
• Education records covered by FERPA rather than HIPAA.
• Wellness app data retained solely by the consumer and not shared with a provider or plan.

Note that paper PHI becomes ePHI the moment you scan, photograph, or key it into an electronic system controlled by a covered entity or business associate.

Risks to ePHI

Common threats include ransomware, phishing-driven account takeover, and business email compromise. Misconfigured cloud storage, exposed APIs, or shared credentials can enable unauthorized access, exfiltration, or data integrity loss.

Lost or stolen devices without full-disk encryption, weak mobile controls, and unsanctioned file sharing increase exposure. Insider snooping, excessive privileges, and inadequate audit logging undermine Protected Health Information Handling and incident response.

Practical Data Breach Risk Management focuses on end-to-end controls: hardening endpoints and servers, enforcing multifactor authentication, patching, encrypting data in transit and at rest, monitoring logs, testing backups, and validating recovery. Regular risk analyses guide priorities and remediation.

Risks to Non-ePHI

For PHI in paper or verbal form, risks include improper disposal, theft of files, overheard conversations, misdirected mail, and faxes sent to the wrong number. Physical security gaps and inadequate workforce training often drive these incidents.

For data outside HIPAA, reidentification and uncontrolled data sharing remain concerns. When combined with other datasets or moved into a covered workflow, previously non-PHI information can quickly become ePHI—expanding your obligations and liability.

HIPAA Security Rule Requirements

Overview

The HIPAA Security Rule establishes safeguards to ensure the confidentiality, integrity, and availability of ePHI. It is risk-based, scalable, and technology-neutral, allowing you to implement “reasonable and appropriate” measures for your environment.

Administrative Safeguards

• Risk analysis and risk management to identify, prioritize, and mitigate threats.
• Assigned security responsibility, workforce security, and role-based access management.
• Security awareness and training, plus sanction policies for violations.
• Contingency planning: data backup, disaster recovery, and emergency operations.
• Security incident procedures and ongoing evaluations of safeguards.
• Business Associate Agreements defining responsibilities for Electronic Protected Health Information.

Technical Safeguards

• Access controls: unique user IDs, emergency access, automatic logoff, and encryption.
• Audit controls to record and examine activity in systems handling ePHI.
• Integrity protections to prevent improper alteration or destruction of data.
• Authentication of users and entities interacting with systems.
• Transmission security, including encryption and protections against spoofing and tampering.

Physical Safeguards

• Facility access controls and visitor management for data centers and clinics.
• Workstation use and security standards to reduce viewing and theft risks.
• Device and media controls: secure disposal, media reuse, tracking, and backup storage.

Policies, Documentation, and Governance

Create written policies and procedures, implement them operationally, and retain documentation for at least six years. Review controls regularly, document “required” versus “addressable” decisions, and align with your overall Data Breach Risk Management program.

Conclusion

Understanding ePHI vs. Non-ePHI clarifies which safeguards the HIPAA Security Rule mandates and where additional controls are prudent. By classifying data accurately, implementing administrative, technical, and physical safeguards, and training your workforce, you reduce risk while enabling compliant, effective care.

FAQs.

What is the difference between ePHI and non-ePHI?

ePHI is PHI in electronic form that a covered entity or business associate creates, receives, maintains, or transmits. Non-ePHI is either PHI in paper or verbal form, or information that is not PHI at all (such as de-identified or non-health records).

Which types of data are considered ePHI?

Any identifiable health information stored or moved electronically—EHR entries, telehealth chats, diagnostic images, e-prescribing data, lab results, billing files, backups, and logs—qualifies as ePHI when tied to a person’s identity and care, payment, or operations.

What are the main risks to electronic PHI?

Top risks include ransomware, phishing, misconfigured cloud services, lost or unencrypted devices, excessive access, weak logging, insecure APIs, and insider misuse. Strong access controls, encryption, monitoring, backups, and regular risk analyses help mitigate these threats.

How does HIPAA protect ePHI?

The HIPAA Security Rule requires Administrative Safeguards, Technical Safeguards, and Physical Safeguards to protect the confidentiality, integrity, and availability of ePHI. It is risk-based and expects reasonable, documented measures suited to your environment.