HIPAA Electronic Protected Health Information (ePHI): What It Is, Examples, and How to Stay Compliant

Definition of Electronic Protected Health Information

What makes information ePHI?

Electronic protected health information (ePHI) is any individually identifiable health information that a covered entity or business associate creates, receives, maintains, or transmits in electronic form. It relates to an individual’s past, present, or future physical or mental health, the provision of care, or payment for care, and it can identify the person directly or indirectly.

“Electronic” includes data stored or moved through computers, mobile devices, servers, removable media, cloud services, and networks. Whether ePHI is at rest or in transit, it remains protected under the HIPAA Privacy Rule and the HIPAA Security Rule.

What is not ePHI?

De-identification removes specific identifiers to a level where information can no longer reasonably identify an individual. Fully de-identified data is not PHI and falls outside HIPAA. In contrast, a limited data set (with fewer identifiers) is still PHI and requires a data use agreement. Personal health data in a consumer app that is not acting on behalf of a covered entity may not be PHI, but it becomes ePHI when a covered entity or business associate handles it.

Examples of ePHI

Common categories

• Electronic health record entries: problem lists, diagnoses, medications, allergies, progress notes, and care plans.
• Laboratory and imaging data: test orders, results, clinical images, and associated metadata.
• Billing and claims information: eligibility checks, remittance advice, and electronic data interchange transactions.
• Patient communications: patient portal messages, secure emails, telehealth chat transcripts, and recorded care instructions.
• Scheduling and operational data: appointment reminders, referrals, prior authorizations, and discharge summaries.
• Remote monitoring data: device telemetry, wearables data received by a provider, and home health readings.

Identifiers that make data identifiable

• Direct identifiers: name, Social Security number, driver’s license, full-face photos, phone numbers, email addresses, and medical record numbers.
• Indirect identifiers: dates related to the individual (e.g., admission or discharge dates), geographic subdivisions smaller than a state, IP addresses, and device identifiers when linked to health data.

HIPAA Privacy Rule Overview

Core principles

• Permitted uses and disclosures: treatment, payment, and healthcare operations generally do not require patient authorization.
• Minimum necessary: access, use, and disclosure must be limited to the least amount needed to achieve the purpose.
• Patient rights: access, copies in requested format when feasible, amendments, and accounting of certain disclosures.
• Notice of Privacy Practices: clearly explain how PHI is used and shared and the individual’s rights.
• Authorizations: required for most uses outside permitted purposes, such as certain marketing or research activities.
• De-identification: safe harbor removal of specific identifiers or expert determination reduces privacy risk and compliance burden.

The Privacy Rule sets the boundaries for when ePHI may be used or disclosed. It works alongside the Breach Notification Rule, which triggers duties to notify after impermissible uses or disclosures, and the Security Rule, which requires safeguards for electronic data.

HIPAA Security Rule Requirements

The HIPAA Security Rule is risk-based and flexible. It requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.

Administrative safeguards

• Risk analysis and risk management: identify threats and vulnerabilities, evaluate likelihood and impact, and implement controls to reduce risk to a reasonable and appropriate level.
• Policies, procedures, and workforce training: define acceptable use, access control, device use, remote work, and sanction policies; train staff routinely.
• Vendor oversight: execute business associate agreements and verify that vendors implement appropriate protections.
• Contingency planning: data backup, disaster recovery, and emergency operations plans with periodic testing.

Physical safeguards

• Facility access controls: restrict physical access to servers, networking gear, and storage media.
• Workstation and device security: screen privacy, automatic logoff, cable locks, and secure storage.
• Device and media controls: inventory, encryption, re-use procedures, and secure disposal or sanitization.

Technical safeguards

• Access control: unique user IDs, role-based access, least privilege, and—where appropriate—multi-factor authentication.
• Audit controls: detailed logging and monitoring of access, changes, and data movement.
• Integrity: mechanisms to protect ePHI from improper alteration or destruction, including hashing and checksums.
• Person or entity authentication: verify users and systems before granting access.
• Transmission security: protect ePHI in transit with encryption (e.g., TLS, VPN) and integrity checks.

Some specifications are “addressable,” not optional. You must implement them if reasonable and appropriate or document an equivalent measure that meets the same risk-reduction goals.

Compliance Measures for ePHI

Build a defensible program

• Perform and document a comprehensive risk analysis at least annually and after major changes; prioritize remediation.
• Establish administrative safeguards with practical policies, procedures, and ongoing workforce training.
• Implement technical safeguards such as encryption at rest and in transit, robust identity and access management, and continuous logging.
• Harden endpoints and servers: patch routinely, use mobile device management, and enable automatic screen locks.
• Data minimization and de-identification: collect only what you need, use de-identification when feasible, and apply the minimum necessary standard.
• Vendor risk management: maintain an inventory of business associates, execute BAAs, and assess their controls regularly.
• Contingency planning: maintain versioned, tested backups; define recovery time and recovery point objectives; and exercise disaster recovery procedures.
• Incident response and breach notification: define roles, triage steps, forensic procedures, and communication workflows.

Breach notification essentials

After an impermissible use or disclosure of unsecured ePHI, evaluate the likelihood of compromise using a documented risk assessment. If a breach occurred, notify affected individuals without unreasonable delay and no later than 60 days after discovery. For incidents affecting 500 or more residents of a state or jurisdiction, also notify prominent media and report to the regulator contemporaneously. For fewer than 500 individuals, keep a breach log and submit annually. State laws may impose additional or faster timelines.

Storage Media for ePHI

Where ePHI commonly resides

• Servers and databases: on-premises or hosted environments running EHRs, portals, and analytics platforms.
• Cloud services: IaaS, PaaS, and SaaS platforms that store ePHI under a business associate agreement.
• Endpoints and mobile: laptops, tablets, and smartphones used for clinical care and operations.
• Removable media: encrypted USB drives, external disks, and legacy optical media used for transfer or backup.
• Backups and archives: online snapshots, offsite copies, cold storage, and immutable backup sets.
• Medical and IoT devices: imaging modalities, bedside monitors, infusion pumps, and remote patient monitoring hubs.
• Messaging repositories: secure messaging servers, voicemail systems, and transcription files.

Controls to apply

• Full-disk encryption with sound key management, plus encryption for databases and object storage.
• Granular role-based access, least privilege, and timely offboarding for workforce and vendors.
• Device and media controls for tracking, re-use, repair, and disposal with verifiable sanitization.
• Environmental protections: locked server rooms, camera coverage, and tamper-evident measures.

Transmission Methods for ePHI

Common channels

• Secure web and email: HTTPS/TLS for portals and APIs; S/MIME or PGP for message-level email encryption.
• Virtual private networks: IPSec or TLS VPN for remote access and site-to-site connections.
• File transfer: SFTP, FTPS, or managed file transfer platforms with integrity verification.
• Healthcare messaging: Direct secure messaging, HL7, and FHIR APIs with OAuth 2.0 and token-based access.
• Telehealth and voice: video visits and VoIP protected with strong encryption and access controls.
• Electronic fax: cloud fax and fax-over-IP services that store or relay content electronically.

Secure transmission practices

• Encrypt all ePHI in transit, enforce modern ciphers, and disable deprecated protocols.
• Use mutual authentication, digital signatures, and message integrity checks for high-risk exchanges.
• Apply data loss prevention and outbound filtering to detect and block unauthorized disclosures.
• Document transmission security in policies; review logs and alerts to validate ongoing effectiveness.

Strong administrative safeguards, layered technical safeguards, and disciplined operational practices work together to keep ePHI confidential, intact, and available while meeting HIPAA Privacy Rule and HIPAA Security Rule obligations.

FAQs.

What constitutes electronic protected health information?

ePHI is any individually identifiable health information created, received, maintained, or transmitted electronically by a covered entity or business associate. It includes data about health status, care provided, or payment for care that can identify the individual directly or indirectly.

How does the HIPAA Security Rule protect ePHI?

It requires a risk analysis and implementation of administrative safeguards, physical safeguards, and technical safeguards. Controls include role-based access, encryption, audit logging, integrity protections, contingency planning, workforce training, and vendor management, all tailored to reduce risk to a reasonable and appropriate level.

What are best practices for ePHI compliance?

Conduct regular risk analysis; use encryption in transit and at rest; enforce least privilege and multi-factor authentication; maintain tested backups; monitor and log access; de-identify data where possible; train your workforce; manage business associates through BAAs and assessments; and keep policies current and enforced.

When must a breach of ePHI be reported?

Notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach of unsecured ePHI. For incidents involving 500 or more individuals in a state or jurisdiction, also notify prominent media and report promptly to the regulator; for fewer than 500, log and report annually. Check applicable state laws for additional requirements.