HIPAA Guide: Determining What Is and Isn’t Electronic PHI

Defining Electronic PHI

Protected Health Information (PHI) is any individually identifiable health information related to a person’s health, care, or payment that is created or received by covered entities or their business associates. It includes names, contact details, medical record numbers, biometrics, and any data that could reasonably identify someone.

Electronic PHI (ePHI) is PHI that you create, receive, maintain, or transmit in electronic form. “Electronic” covers data at rest (on servers, laptops, mobile devices, removable media, or cloud platforms) and data in transit (over networks, email, APIs, or secure messaging), regardless of the technology vendor or location.

De-identified information—data stripped of identifiers so individuals cannot be reasonably re-identified—is not PHI. Everything else that is identifiable and electronic is ePHI and must be protected under the HIPAA Security Rule to uphold health information privacy.

Examples of Electronic PHI

• EHR/EMR entries, progress notes, problem lists, and medication histories stored in clinical systems.
• Digital images and diagnostics such as DICOM radiology files, pathology slides, and cardiology waveforms.
• Patient portal messages, telehealth chat logs, and recorded virtual visits saved to a platform.
• e-Prescriptions, e-referrals, lab orders/results, and immunization records exchanged electronically.
• Billing and claims files, eligibility inquiries, remittance advice, and payment posting data.
• Emails, texts, or secure messages that include identifiers plus health or payment details.
• Spreadsheets, PDFs, or reports with patient lists exported from clinical or revenue systems.
• eFaxed documents received as PDFs or stored in a fax portal, and scanned paper records saved to drives.
• Medical device telemetry, remote patient monitoring feeds, and wearable data integrated into the record.
• Cloud backups, disaster recovery images, audit logs, and metadata that contain patient identifiers.

Non-Electronic PHI Exclusions

Not all health information qualifies as electronic PHI. Use these boundaries to avoid over- or under-scoping your safeguards.

• Paper and oral PHI: Handwritten charts, printed reports, and spoken communications are not ePHI (though they are still PHI and must meet Privacy Rule standards).
• Traditional fax phone-line transmissions: Analog faxing is not ePHI; however, eFax services that convert to PDFs or email create ePHI.
• De-identified information: Data meeting HIPAA de-identification standards falls outside PHI.
• Employment records held by a covered entity in its role as employer (e.g., HR files) are not PHI.
• Education records protected by FERPA are not PHI.
• Consumer health data collected by apps or wearables when no covered entity or business associate is involved is not PHI, though other privacy laws may apply.
• Decedent information older than 50 years is no longer PHI.

HIPAA Security Rule Requirements

The HIPAA Security Rule sets a risk-based framework for protecting ePHI. You must implement reasonable and appropriate administrative, physical, and technical safeguards, documenting decisions and compensating controls where needed.

Administrative safeguards

• Risk analysis and ongoing risk management tied to your systems, data flows, and threats.
• Assigned security responsibility and clear governance with roles, approvals, and accountability.
• Workforce security, access provisioning, security awareness training, and a sanctions process.
• Information access management aligned to the minimum necessary standard and job duties.
• Security incident procedures, including detection, response, and breach handling.
• Contingency planning: data backup, disaster recovery, and emergency-mode operations; regular testing.
• Business Associate Agreements (BAAs) for vendors that create, receive, maintain, or transmit ePHI.
• Written policies, procedures, and documentation maintained and updated over time.

Physical safeguards

• Facility access controls, visitor management, and environmental protections for data centers and clinics.
• Workstation use and security, including screen privacy and auto-lock standards.
• Device and media controls for secure disposal, reuse, accountability, and backup of ePHI.

Technical safeguards

• Access controls: unique user IDs, strong authentication (ideally MFA), automatic logoff, and emergency access.
• Audit controls: system and application logging, centralized monitoring, and tamper detection.
• Integrity protections to prevent improper alteration or destruction of ePHI.
• Person or entity authentication to verify users and systems before granting access.
• Transmission security: encryption and integrity controls for network traffic and file exchanges.

Some implementation specifications are “required,” while others are “addressable.” Addressable does not mean optional—it means you must implement the control or document an equivalent, reasonable alternative.

Safeguarding Electronic PHI

Translate the Security Rule into day-to-day electronic data safeguards that fit your size, systems, and risk profile.

• Identity and access: enforce least privilege, role-based access, MFA, and periodic access reviews.
• Encryption: protect ePHI in transit with modern data transmission protocols (e.g., TLS for HTTPS, SFTP, secure messaging) and at rest with strong cryptography; manage keys securely.
• Endpoint and mobile security: MDM for smartphones and tablets, disk encryption, EDR/antimalware, patching, and controls for removable media.
• Network protections: segmentation, firewalls, VPN for remote access, zero-trust principles, and email security gateways.
• Data handling: apply the minimum necessary standard, label sensitive repositories, and prevent copy/paste or bulk exports where not needed.
• Logging and monitoring: centralize logs, retain them appropriately, and alert on anomalous access to ePHI.
• Cloud and vendors: perform due diligence, obtain BAAs, configure services securely, and continuously assess posture.
• Resilience: maintain tested backups (including offline or immutable options) and documented recovery time objectives.
• Secure disposal: sanitize or destroy media before reuse or retirement to prevent data leakage.
• Workforce readiness: conduct role-based training, phishing simulations, and tabletop exercises for incident response.

Compliance Best Practices

• Map where ePHI lives and flows—systems, people, vendors, and locations—so controls cover the full lifecycle.
• Run a formal risk analysis at least annually and whenever you introduce significant technology or process changes.
• Adopt clear, practical policies and procedures that your workforce can follow and that match your operations.
• Build a vendor risk management program with BAAs, security reviews, and well-defined responsibilities.
• Measure and monitor: define metrics for access reviews, patch cadence, backup success, and incident handling.
• Practice the plan: test incident response and disaster recovery, then close gaps discovered during exercises.
• Design for privacy: embed health information privacy and security into procurement, development, and change management.

Conclusion

Electronic PHI is any identifiable health information in digital form—at rest or in motion—handled by covered entities or their business associates. Exclusions such as paper/oral data and de-identified information help define the scope. By applying the HIPAA Security Rule and disciplined safeguards, you can reduce risk, demonstrate compliance, and protect patient trust.

FAQs

What qualifies as electronic PHI under HIPAA?

Electronic PHI is any protected health information that you create, receive, maintain, or transmit in electronic form. It includes records in EHR systems, emails containing PHI, digital images, billing files, cloud backups, audit logs with identifiers, and data exchanges over networks—essentially, identifiable health information stored or sent using electronic media.

What types of information are excluded from electronic PHI?

Excluded from ePHI are paper and oral PHI (still protected by the Privacy Rule but not “electronic”), traditional analog fax transmissions, de-identified information, employment records held by an entity in its role as employer, FERPA education records, consumer health data outside HIPAA’s covered-entity/business-associate context, and decedent data older than 50 years.

How does HIPAA regulate the transmission of electronic PHI?

HIPAA’s Security Rule requires transmission security and integrity protections so ePHI isn’t intercepted, altered, or disclosed in transit. In practice, you should use secure data transmission protocols (e.g., TLS-secured HTTPS, SFTP, or encrypted messaging), verify recipient identity, minimize exposure of identifiers, and document decisions where alternative, reasonable controls are used.