Not ePHI: Clear Examples of Data That Aren’t Electronic PHI

Understanding what is not ePHI helps you reduce compliance risk and share data responsibly. ePHI covers identifiable health information in electronic form that a covered entity or its business associate creates, receives, maintains, or transmits. The categories below commonly fall outside that scope when handled correctly.

De-identified Health Information

What qualifies as de-identified

Data is not ePHI when it has been de-identified so no individual can reasonably be identified. Under HIPAA, this occurs through removal of the 18 HIPAA identifiers (Safe Harbor) or via an expert determination showing very small re-identification risk. Either path breaks the link to a person.

Practical examples

• A research file that replaces names, exact dates, phone numbers, and addresses with random IDs and broad age bands.
• Public dashboards showing rates by state or three-digit ZIP areas rather than full ZIP codes or streets.
• Clinical notes summarized into themes with all direct and indirect identifiers removed.

Watch-outs

“Limited data sets” used for research or operations can still include some elements (for example, city, state, dates) and remain PHI. Only truly de-identified data is not ePHI; avoid free-text that could reveal identity.

Employment Records

Employer-held files are not PHI

Employment health information that an employer keeps in its role as employer is not PHI, even if it contains medical details. This includes HR files such as doctor’s notes, FMLA paperwork, drug testing results, and fitness-for-duty evaluations.

Examples

• An HR folder with accommodation requests and supporting medical letters.
• Return-to-work certifications and workers’ compensation forms maintained by HR.

When it becomes ePHI

If a covered entity treats an employee as a patient, those clinical records are PHI within the provider’s record. The same person can have non-PHI employment records in HR and PHI in the clinic—context and role matter.

Educational Records

FERPA-covered records are not PHI

Student education records subject to FERPA are not PHI. School health clinic notes, immunization logs, and medication administration records kept by the school for students fall under FERPA compliance, not HIPAA, and therefore are not ePHI.

Examples

• A school nurse’s log documenting routine care and vaccinations for students.
• College health center notes maintained as part of the institution’s education record.

Personal Health Records

Consumer-controlled PHRs

Personal health records that you maintain directly with a consumer app or service—without the app acting for a covered entity—are not ePHI. These repositories store your information for your own use and generally sit outside HIPAA.

When PHR data becomes ePHI

If a covered entity supplies the PHR or the vendor operates on its behalf, the same information can be PHI. Once your PHR data flows into a provider’s system or health plan portal, that copy is ePHI.

Health Data from Fitness Apps

Typically not ePHI

Steps, heart rate, and sleep data collected by consumer fitness apps and wearable device data are usually not ePHI because the app developer is not a covered entity or business associate. The data is for your personal tracking.

Exceptions to know

• If a health plan or provider offers the app and uses it for care management, the data may be PHI.
• When you transmit app data to your clinician and it’s stored in the medical record, that received copy becomes ePHI.

Aggregated Health Data

Group-level information

Health data aggregation that produces statistics across many people—without the ability to single out someone—is not ePHI. Aggregates describe groups, not individuals.

Examples and safeguards

• A report stating “32% of members met their activity goal this quarter,” with no small-cell details.
• Regional trend charts that suppress or blend small counts to prevent re-identification.

Data Stored on Personal Devices

Consumers’ devices

Notes you keep on your phone, spreadsheets about symptoms, or photos of lab results that you store for yourself are not ePHI. They are outside HIPAA unless and until a covered entity receives and maintains them.

Workforce devices

If workforce members of a covered entity store patient information on personal laptops or phones for work, that information is ePHI and must meet HIPAA safeguards. Ownership of the device does not change the status of the data.

Conclusion

Not ePHI depends on who holds the data, why it’s held, and whether individuals are identifiable. Keep the “covered entity” context and HIPAA identifiers in mind, and use de-identification, aggregation, and role distinctions to stay on solid ground.

FAQs.

What qualifies as electronic protected health information?

ePHI is individually identifiable health information in electronic form that a covered entity or its business associate creates, receives, maintains, or transmits for care, payment, or operations. Examples include EHR entries, billing files, and secure messages containing diagnosis or treatment details that can be linked to a person.

How is de-identified data different from ePHI?

De-identified data has removed the 18 HIPAA identifiers or passed expert determination so individuals cannot reasonably be identified. Because identity is no longer linkable, the resulting dataset is not ePHI. By contrast, a limited data set that still includes certain elements remains PHI.

Are data from fitness apps considered ePHI?

Generally no. Data from consumer fitness apps and wearable device data are not ePHI unless the app is offered by, or operates for, a covered entity, or you send the data into a provider’s system. The copy held by the provider or plan then becomes ePHI.

When are employment records excluded from ePHI?

Employment records are excluded when an employer maintains them in its role as employer, even if they contain medical details. HR files like sick notes, FMLA forms, or drug tests are not ePHI. Clinical records created when an employee is treated as a patient by a provider are PHI within the provider’s system.