PHI vs ePHI: Definitions, HIPAA Requirements, and Real-World Examples

Definition of PHI

Protected Health Information (PHI) is a subset of Individually Identifiable Health Information created or received by a covered entity or business associate that relates to a person’s health status, care, or payment for care. It identifies the individual or provides a reasonable basis to believe the person could be identified.

PHI can exist in any format—paper, verbal, or electronic. It includes common identifiers such as names, addresses, dates, contact details, Social Security numbers, medical record numbers, and images tied to health data. De-identified Health Data, education records under FERPA, and employment records held by a covered entity in its role as employer are not PHI.

Definition of ePHI

Electronic Protected Health Information (ePHI) is PHI that is created, stored, transmitted, or received in electronic form. It covers data in EHR systems, patient portals, email, text messages, databases, backups, and connected devices.

All ePHI is PHI, but not all PHI is electronic. The HIPAA Security Rule applies specifically to ePHI, requiring safeguards to protect its confidentiality, integrity, and availability. Properly De-identified Health Data is outside HIPAA’s scope, whether electronic or not.

Examples of PHI

The following real-world items are PHI when they can be tied to a person and relate to health, care delivery, or payment:

• A printed discharge summary with a patient’s name, diagnosis, and medical record number.
• A referral fax listing medications, allergies, and contact details.
• Voicemail capturing a patient’s name and appointment information.
• Paper billing statements or explanation of benefits with policy numbers and services.
• Clinical photographs or full-face images linked to treatment notes.
• Device serial numbers, license plates, IP addresses, or biometric identifiers when associated with health data.
• Prescription labels and pharmacy pickup logs identifying the patient and medication.

Examples of ePHI

Common forms of ePHI include electronic records and messages that identify a patient and relate to care or payment:

• EHR entries, problem lists, lab results, radiology reports, and clinical notes stored on servers.
• Email or secure messages containing diagnoses, referrals, or imaging attachments.
• Text messages with medication changes between clinicians and patients.
• Cloud backups, archives, and data extracts (CSV exports) containing identifiers.
• Telehealth chat logs, images, or recordings saved to a platform.
• Claims files transmitted to clearinghouses and payer portals.
• Remote patient monitoring and wearable data when routed to a provider’s system.

HIPAA Privacy Rule Overview

Who must comply and what it covers

The Privacy Rule applies to covered entities—healthcare providers, health plans, and clearinghouses—and to their business associates. It governs how PHI in any medium may be used and disclosed for treatment, payment, and healthcare operations, plus other permitted or required purposes.

Minimum necessary and authorizations

Outside of treatment, you must limit PHI access and disclosures to the minimum necessary to accomplish the purpose. Uses and disclosures beyond those permitted require a valid, written authorization from the individual.

Individual rights

People have rights to access and obtain copies of their PHI, request amendments, receive an accounting of disclosures, request restrictions, and ask for confidential communications. Covered entities must provide a Notice of Privacy Practices explaining these rights.

De-identified Health Data

PHI that has been de-identified through expert determination or the Safe Harbor method is no longer subject to HIPAA. De-identified Health Data may be used and shared without patient authorization, provided re-identification risks are appropriately controlled.

HIPAA Security Rule Overview

Scope and objectives

The Security Rule applies to ePHI and requires you to ensure its confidentiality, integrity, and availability. It is risk-based and scalable, allowing organizations to implement reasonable and appropriate measures.

HIPAA Administrative Safeguards

• Perform an enterprise-wide risk analysis and implement risk management plans.
• Establish policies, procedures, workforce training, and sanction processes.
• Manage access based on roles; oversee business associates and incident response.
• Plan for contingencies, including data backup, disaster recovery, and emergency operations.

HIPAA Physical Safeguards

• Control facility access and validate visitor entry to areas housing systems with ePHI.
• Secure workstations and mobile devices; implement screen privacy and automatic logoff.
• Govern device and media controls, including encryption, reuse, and secure disposal.

HIPAA Technical Safeguards

• Access controls: unique user IDs, emergency access, automatic logoff, and encryption.
• Audit controls: log collection, monitoring, and review of access and activity.
• Integrity: controls to prevent improper alteration, plus hashing and checksums as appropriate.
• Person or Entity Authentication: verify users and systems, often with MFA and certificates.
• Transmission security: protect ePHI in transit with secure protocols and encryption.

Operational practices

Standardize change management, patching, and vulnerability management. Test backups and recovery, validate vendor security, and document decisions for addressable specifications to demonstrate how safeguards meet your risk profile.

HIPAA Breach Notification Rule

What is a breach

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security. Exceptions include certain unintentional, good-faith, or intra-organizational disclosures, but you must still evaluate risk.

Risk assessment

Assess four factors: the nature and extent of PHI involved, the unauthorized person, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated. If there is more than a low probability of compromise, notification is required.

Notification timelines and recipients

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For breaches involving 500 or more residents of a state or jurisdiction, notify prominent media and report to HHS contemporaneously; smaller breaches are reported to HHS annually. Business associates must notify the covered entity.

What to include in notices

Notices should describe what happened, the types of PHI involved, steps individuals should take, what you are doing to investigate and mitigate harm, and how to contact your organization. Encryption that renders PHI unusable can provide safe harbor from notification.

Conclusion

Understanding PHI vs ePHI clarifies when the Privacy Rule applies to all forms of PHI and when the Security Rule imposes specific protections for electronic data. Applying minimum necessary access, robust safeguards, and timely breach response reduces risk and strengthens trust.

Use a living risk management program that aligns HIPAA Administrative, Physical, and Technical Safeguards to your environment. When possible, minimize data, de-identify responsibly, and authenticate people and systems before granting access.

FAQs

What distinguishes PHI from ePHI?

PHI is Individually Identifiable Health Information in any form—paper, verbal, or electronic—held by a covered entity or business associate. ePHI is simply PHI that is created, stored, transmitted, or received electronically, which brings the HIPAA Security Rule’s safeguards into scope.

What are the key HIPAA requirements for ePHI?

You must implement HIPAA Administrative Safeguards, HIPAA Physical Safeguards, and HIPAA Technical Safeguards. Core practices include risk analysis, role-based access, audit logging, integrity protections, Person or Entity Authentication, and transmission security, along with contingency planning and workforce training.

How are breaches of PHI and ePHI handled differently?

The Breach Notification Rule applies to unsecured PHI in any format. ePHI breaches also trigger Security Rule incident response and forensic review of systems and logs. If PHI or ePHI is properly encrypted or otherwise secured per guidance, notification may not be required.

Are mobile health apps subject to HIPAA for ePHI data?

Mobile app data is ePHI only when the app is offered by, on behalf of, or integrated with a covered entity or business associate in a way that creates, receives, maintains, or transmits PHI. Consumer apps that operate solely on behalf of the user, without a covered entity relationship, are generally outside HIPAA but may be subject to other laws and best practices.