Examples of ePHI: What Counts as Electronic Protected Health Information Under HIPAA

Under the Health Insurance Portability and Accountability Act, electronic protected health information (ePHI) is any individually identifiable health information that a covered entity or its business associate creates, receives, transmits, or maintains in electronic form. The HIPAA Privacy Rule defines what qualifies as PHI, while the HIPAA Security Rule sets the safeguards you must apply to protect ePHI across its lifecycle.

This guide walks through clear examples of ePHI you handle every day—from Electronic Health Record Systems to billing files—and highlights practical steps for Covered Entity Compliance, Business Associate Obligations, and when De-identification Standards can remove data from HIPAA scope.

Electronic Health Records

Information stored in Electronic Health Record Systems is ePHI because it ties clinical details to an identifiable individual. That includes data you document, import, exchange, or archive, plus the metadata your system generates while you use it.

Common examples

• Patient demographics, insurance details, problem lists, diagnoses, medications, allergies, immunizations, and care plans.
• Lab and imaging results, vitals, flowsheets, and structured device data ingested via interfaces (HL7, FHIR, APIs).
• Clinical notes (progress, operative, discharge), attachments (PDFs, photos), and scanned paper records stored electronically.
• Patient portal content: submitted forms, questionnaires, consents, and messages attached to the chart.
• EHR-generated artifacts: audit logs, encounter IDs, user IDs, timestamps, and access reports linked to a patient.

Compliance pointers

• Apply minimum-necessary access with role-based controls and multi-factor authentication.
• Encrypt ePHI at rest and in transit; enable integrity controls and automated audit logging.
• Treat your EHR vendor as a business associate and maintain a Business Associate Agreement that reflects HIPAA Security Rule requirements.

Digital Imaging

Digital medical images and their headers are ePHI when they identify a patient or are reasonably linkable to one. This spans radiology (DICOM X-ray, CT, MRI), cardiology (echo), pathology whole-slide images, ophthalmic scans, and clinical photography.

Common examples

• DICOM files containing patient name, MRN, accession number, study date/time, and embedded annotations.
• Clinical photos (including full-face photos, which are direct identifiers), wound images, and dermatology pictures stored in image libraries.
• Pathology and ophthalmology images paired with case numbers and report links.

Pitfalls and safeguards

• Remove identifiers from DICOM headers and “burned-in” pixels before teaching, research, or sharing outside treatment, payment, or operations.
• Do not export images to unsecured personal devices or messaging apps; use approved, encrypted workflows.
• Apply De-identification Standards (Safe Harbor or Expert Determination) when feasible for secondary use.

Patient Communications

Any electronic message that reveals a patient’s identity and health context is ePHI. This extends beyond portals to the everyday channels your team uses to coordinate care and answer questions.

What counts as ePHI

• Secure portal messages, telehealth chat transcripts, and video session metadata saved to the record.
• Emails, SMS texts, and e-faxes containing appointment details, test results, symptoms, or treatment plans.
• Online forms, intake questionnaires, scheduling requests, and voicemail recordings stored digitally.

Practical safeguards

• Prefer secure portals over email/SMS; if emailing, use encryption and verify addresses.
• Standardize message templates to limit unnecessary details and follow minimum-necessary principles.
• Capture communications to the chart and audit access consistent with HIPAA Security Rule requirements.

E-Prescriptions and Referrals

Electronic prescribing and referral workflows produce rich ePHI because they link identity to medications, allergies, indications, and clinical reasoning, then route this data across networks and organizations.

Common examples

• E-prescriptions with patient identifiers, drug name/strength, SIG, refills, prescriber NPI, and pharmacy selection.
• Medication history queries, allergy checks, prior authorization forms, and electronic refill requests.
• Referral orders, consult notes, attachments (labs, images), and scheduling messages sent to other providers.

Compliance pointers

• Treat e-prescribing networks, referral platforms, and prior-authorization vendors as business associates and document Business Associate Obligations.
• Use authenticated, encrypted channels; maintain traceable audit logs for orders, changes, and fills.
• Share only the minimum information necessary for the receiving party to perform treatment or operations.

Billing and Claims Information

Payment data is still ePHI because it connects identity to diagnoses, procedures, and services. Files and messages that move through practice management systems, clearinghouses, and payers must be protected just like clinical content.

Common examples

• Claims (e.g., 837 files), remittance advice (835), superbills, coding worklists, and eligibility responses.
• Patient statements, payment plans, and dunning notices that reference dates of service or visit details.
• Attachments supporting claims: op notes, lab reports, and medical-necessity letters.

Compliance pointers

• Ensure vendors handling revenue cycle functions meet HIPAA Security Rule controls and, where applicable, sign Business Associate Agreements.
• Encrypt databases, backups, and SFTP transfers; limit staff access to billing details by role.
• Retain and dispose of records according to policy; sanitize storage media before reuse.

Device and Network Identifiers

Certain identifiers are PHI when they can identify an individual in connection with health information. In electronic contexts, these data elements often appear in logs, apps, and device ecosystems and therefore become ePHI.

Common examples

• Device identifiers and serial numbers tied to a patient (e.g., implant serials recorded in the chart).
• IP addresses, web URLs, and unique account IDs captured during portal use or telehealth sessions.
• Biometric identifiers (fingerprints, voiceprints) used for patient authentication or monitoring.

Practical tips

• Minimize and tokenize logs; avoid collecting identifiers you do not need for treatment, payment, or operations.
• Apply De-identification Standards before analytics or research when direct identifiers are unnecessary.
• Segment systems so patient-facing services are isolated and monitored with alerts on abnormal access.

Wearable and Home-Monitoring Data

Data from wearables and remote devices is ePHI when a covered entity or business associate collects, manages, or uses it for care, payment, or operations. The same metrics may not be PHI when held only by a direct-to-consumer app outside the clinical workflow.

Typical sources

• Remote patient monitoring feeds: blood pressure, glucose, weight, pulse oximetry, spirometry, and cardiac event data.
• Smartwatch metrics: heart rate, ECG, rhythm notifications, sleep stages, activity, and fall detection events shared with your practice.
• Home sensors and peripherals: digital thermometers, scales, pill dispensers, and emergency alert systems linked to a patient plan.

Compliance pointers

• Execute Business Associate Agreements with RPM platforms and integrate data through secure, authenticated APIs.
• Harden endpoints, encrypt data in transit and at rest, and verify patient identity during onboarding.
• Use the minimum data needed, document consent where required, and apply HIPAA Security Rule controls end to end.

Conclusion

In practice, ePHI includes any identifiable health information you hold electronically—across EHRs, images, messages, orders, referrals, claims, identifiers, and device streams. Anchor decisions in the HIPAA Privacy Rule, implement the HIPAA Security Rule’s safeguards, enforce Business Associate Obligations, and apply De-identification Standards whenever full identity is unnecessary.

FAQs

What types of data are classified as ePHI?

ePHI covers any electronic information that identifies a patient and relates to health status, care, or payment. That includes EHR content and metadata, digital images, portal messages, emails and e-faxes, telehealth transcripts, e-prescriptions and referrals, billing and claims files, device and network identifiers when linked to a person, and wearable or home-monitoring data managed by your organization. Properly de-identified data under De-identification Standards is not ePHI.

How does HIPAA define electronic protected health information?

The HIPAA Privacy Rule considers ePHI to be individually identifiable health information created, received, transmitted, or maintained in electronic media by a covered entity or business associate, excluding certain education and employment records. The HIPAA Security Rule then requires administrative, physical, and technical safeguards to protect its confidentiality, integrity, and availability.

Are wearable device data considered ePHI?

Yes, when a covered entity or business associate collects or uses the data for treatment, payment, or operations—such as remote patient monitoring feeds written into Electronic Health Record Systems. If data stays solely in a consumer app without involvement from a covered entity or its business associate, it generally is not PHI under HIPAA until it is shared into your clinical ecosystem.

How should healthcare providers secure ePHI?

Conduct a risk analysis, adopt policies for minimum-necessary use, and enforce role-based access with multi-factor authentication. Encrypt ePHI in transit and at rest, maintain audit logs and integrity controls, patch systems, back up and test recovery, and run incident response plans. Train your workforce, vet vendors, and document Business Associate Obligations to meet HIPAA Security Rule requirements.