HIPAA ePHI Identification Checklist: In-Scope Data vs. Exclusions

This checklist helps you quickly determine whether a data element is electronic protected health information (ePHI), what belongs in scope, and what falls outside HIPAA. It also clarifies how the Designated Record Set, De-identification Standards, and special carve-outs—like the Psychotherapy Notes Exclusion and FERPA—affect your decisions and your Covered Entity Obligations and Business Associate Roles.

Definition of Electronic Protected Health Information

Electronic protected health information (ePHI) is individually identifiable health information that is created, received, maintained, or transmitted in electronic media by a covered entity or its business associate. It relates to an individual’s past, present, or future health condition, the provision of care, or payment for care, and it identifies the person or provides a reasonable basis to identify them.

Electronic media includes systems such as EHRs, patient portals, email, cloud storage, backups, mobile devices, and connected medical equipment. Under the HIPAA Privacy and Security Rules, Covered Entity Obligations include limiting uses/disclosures and implementing administrative, physical, and technical safeguards. Business Associate Roles apply when a vendor creates, receives, maintains, or transmits ePHI on behalf of a covered entity (requiring a business associate agreement).

Identification of In-Scope Data

Data are in scope as ePHI when all of the following are true: they identify (or could identify) an individual, they relate to health, care, or payment, and they are maintained or transmitted electronically by a covered entity or business associate. The Designated Record Set (DRS)—records a covered entity uses to make decisions about individuals—is a practical anchor for what must be accessible and carefully protected.

• Clinical content: diagnoses, medications, allergies, labs, imaging tied to identifiers, care plans, progress notes.
• Administrative/payment data: claims, billing, authorizations, eligibility, and enrollment used for decisions about the individual.
• Patient communications: portal messages, secure emails, telehealth recordings, discharge instructions, and scheduling details when linked to the individual.
• Device and source systems: remote patient monitoring feeds, medical device outputs, wearables data ingested by your systems for care decisions.
• Operational artifacts: audit logs, metadata, screenshots, exports, test copies, and backups when they contain identifiers.
• Derived data: risk scores or flags used to guide treatment, case management, or coverage determinations.

Quick test for scope: If a field helps identify a person (directly or indirectly), is tied to health/care/payment, and lives in your electronic environment, treat it as ePHI unless it has been properly de-identified.

Recognizing Exclusions from ePHI

Not all health-related data are ePHI. Exclusions generally include:

• Data that meet HIPAA De-identification Standards (see below).
• Aggregated statistics that cannot reasonably identify an individual.
• Employment records a covered entity maintains in its role as employer (addressed further below).
• Education and certain student treatment records governed by the Family Educational Rights and Privacy Act (FERPA) (addressed further below).
• Consumer app or wearable data not created, received, maintained, or transmitted by/for a covered entity or business associate.
• Information about a decedent more than 50 years after death.

Important edge case: The Psychotherapy Notes Exclusion grants heightened protection and excludes psychotherapy notes from the HIPAA right of access and generally from the Designated Record Set. However, psychotherapy notes remain PHI—and ePHI when electronic—so they are not an “exclusion” from HIPAA; they are a special category requiring stricter handling.

Understanding the 18 HIPAA Identifiers

Under the Safe Harbor method, all of the following identifiers must be removed to consider data de-identified. Their presence typically makes data identifiable and therefore ePHI when held electronically by a covered entity or business associate:

1. Names.
2. Geographic subdivisions smaller than a state (street address, city, county, precinct, ZIP code, and similar geocodes), with limited three‑digit ZIP exceptions.
3. All elements of dates (except year) directly related to an individual, and ages over 89 (aggregate as 90+).
4. Telephone numbers.
5. Fax numbers.
6. Email addresses.
7. Social Security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plates.
13. Device identifiers and serial numbers.
14. Web URLs.
15. IP address numbers.
16. Biometric identifiers (for Biometric Identifier Protection), including finger and voice prints.
17. Full-face photographs and comparable images.
18. Any other unique identifying number, characteristic, or code (except permitted re-identification codes).

Criteria for De-identified Data

HIPAA recognizes two De-identification Standards. Data meeting either is not PHI and, if electronic, not ePHI:

• Safe Harbor: Remove all 18 identifiers for the individual and their relatives, employers, or household members, and have no actual knowledge that remaining information could identify the person.
• Expert Determination: A qualified expert applies accepted statistical/scientific methods to determine re-identification risk is very small and documents the methodology and results.

Notes:

• A Limited Data Set (LDS) is not de-identified; it still contains some identifiers and remains PHI, permitted only for specific purposes under a data use agreement.
• Re-identification codes are allowed if they do not directly translate back to the individual and are kept separate with appropriate safeguards.

Employment and Educational Record Exemptions

Employment records: HIPAA excludes records that a covered entity holds in its role as employer—such as HR files, FMLA certifications kept by HR, occupational health records not used for treatment—so these are not PHI/ePHI. If the same information resides in the provider’s clinical system and is used for care, that copy is PHI.

Educational records and student treatment records: Education records and certain treatment records maintained by schools and postsecondary institutions are governed by the Family Educational Rights and Privacy Act, not HIPAA. Health center records maintained for a student’s treatment under FERPA are not PHI/ePHI under HIPAA; once shared outside permissible FERPA channels, they may become education records subject to FERPA’s rules.

Health Data from Fitness Devices

Data from consumer wearables and wellness apps are typically outside HIPAA. They become ePHI only when a covered entity or business associate creates, receives, maintains, or transmits them for healthcare operations, treatment, or payment—such as remote patient monitoring programs integrated into your EHR under a business associate agreement.

Examples in scope: home blood pressure cuff readings routed to your clinic for care decisions; cardiac telemetry supplied by a vendor acting as your business associate. Examples out of scope: steps, sleep, or nutrition logs stored solely in a consumer app with no covered entity involvement.

Because sensors often capture biometrics, apply Biometric Identifier Protection when such data enter your controlled systems. If your program ingests consumer device feeds, treat them as ePHI and include them in your Designated Record Set when they inform decisions about the individual.

FAQs.

What types of data are excluded from ePHI?

Data that meet HIPAA De-identification Standards, aggregated statistics that cannot reasonably identify a person, employment records held by a covered entity in its role as employer, FERPA-governed education and certain student treatment records, consumer app data not handled by/for a covered entity or business associate, and information about a decedent after 50 years are outside ePHI. Psychotherapy notes are not excluded from HIPAA but have special protections and are generally outside the Designated Record Set.

How does HIPAA define a Designated Record Set?

A Designated Record Set is the group of records a covered entity maintains or uses to make decisions about individuals (for example, medical and billing records for providers; enrollment, claims, and case management records for health plans). The DRS guides access rights and is a practical lens for what you must produce, safeguard, and manage under HIPAA.

Are fitness app data protected under HIPAA?

Usually no. Consumer fitness or wellness data are not ePHI unless a covered entity or business associate creates, receives, maintains, or transmits them for care, operations, or payment. If your organization ingests wearable or app data for clinical use—such as remote monitoring—they become ePHI and must be protected accordingly.

What are the 18 HIPAA identifiers?

They are: names; sub-state geographies; all elements of dates (except year) and ages over 89; phone numbers; fax numbers; email addresses; SSNs; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers; device identifiers; URLs; IP addresses; biometric identifiers; full-face photos and comparable images; and any other unique identifying number, characteristic, or code (with limited allowances for re-identification codes).