PHI vs ePHI: Practical Compliance Guide for Covered Entities and Business Associates

This PHI vs ePHI guide gives you a clear, operational view of what must be protected, who is responsible, and how to implement safeguards that satisfy the HIPAA Security Rule while supporting day‑to‑day care and operations.

Definition of PHI

Protected Health Information (PHI) is individually identifiable health information held or transmitted by a covered entity or business associate in any form—paper, oral, or electronic. It relates to an individual’s past, present, or future health condition, the provision of care, or payment for care, and either identifies the person or could reasonably be used to identify them.

What counts as PHI

• Identifiers such as name, address, email, phone, Social Security number, MRN, account numbers, device identifiers, photos, and full‑face images linked to health data.
• Clinical and billing content like diagnoses, lab results, prescriptions, progress notes, treatment plans, and claims data tied to an individual.

What is not PHI

• De‑identified data (via expert determination or removal of specified identifiers with no actual knowledge of re‑identification risk).
• Employment records held by a covered entity in its role as employer, and student records protected by FERPA.

Definition of ePHI

Electronic PHI (ePHI) is PHI that is created, received, maintained, or transmitted in electronic form. It lives in EHRs, patient portals, billing systems, cloud storage, email and secure messaging, backups, mobile devices, medical equipment, and APIs.

Because ePHI exists in digital systems and travels across networks, it triggers specific safeguards under the HIPAA Security Rule, including administrative safeguards and technical safeguards, along with physical protections for facilities and devices. When you conduct standard transactions, you must also follow HIPAA electronic transmission standards while protecting ePHI end‑to‑end.

Roles of Covered Entities

Covered entities include health plans, most health care providers who conduct standard electronic transactions, and health care clearinghouses. Your core role is to limit uses and disclosures to what is permitted, honor patient rights, and ensure PHI—especially ePHI—is protected throughout its lifecycle.

• Establish governance: appoint privacy and security officials, approve policies, and define accountability for PHI handling.
• Apply “minimum necessary”: design workflows and access rights so workforce members, apps, and partners see only what they need.
• Perform risk analysis and ongoing risk management focused on confidentiality, integrity, and availability of ePHI.
• Train your workforce, manage vendors, and execute a Business Associate Agreement before sharing PHI.
• Meet patient rights: access, amendments, restrictions, and accounting of disclosures for PHI.
• Use HIPAA electronic transmission standards for standard transactions and secure ePHI during transmission and storage.

Responsibilities of Business Associates

Business associates (BAs) perform services for covered entities that involve PHI—examples include billing firms, EHR vendors, cloud providers, eFax services, telehealth platforms, and analytics companies. BAs are directly liable for safeguarding ePHI and for impermissible uses or disclosures.

• Implement the HIPAA Security Rule: conduct risk analysis, apply administrative safeguards and technical safeguards, and maintain physical safeguards for systems handling ePHI.
• Use or disclose PHI only as permitted by the Business Associate Agreement and HIPAA, applying the minimum necessary standard.
• Flow down obligations to subcontractors who handle PHI and verify their safeguards.
• Maintain audit trails, support access/amendment/accounting requests as applicable, and cooperate with compliance reviews.
• Report security incidents and potential breaches to the covered entity without unreasonable delay.

HIPAA Security Rule Requirements

The Security Rule is risk‑based and scalable. Your program must reasonably and appropriately protect ePHI using administrative, physical, and technical safeguards. Document decisions, implement controls, and review them regularly.

Administrative safeguards

• Risk analysis and risk management to identify threats, vulnerabilities, and prioritized mitigations.
• Workforce security, role‑based access, authorization processes, and ongoing training.
• Security policies and procedures, sanction policy, and periodic evaluations.
• Contingency planning: data backup, disaster recovery, and emergency operations testing.
• Third‑party management: due diligence, Business Associate Agreements, and oversight.

Physical safeguards

• Facility access controls, visitor management, and environmental protections.
• Workstation security, device encryption, and screen privacy.
• Device and media controls for storage, movement, reuse, and secure disposal.

Technical safeguards

• Access controls: unique IDs, role‑based permissions, automatic logoff, and where reasonable, multi‑factor authentication.
• Audit controls: comprehensive logging and monitoring of systems that create, receive, maintain, or transmit ePHI.
• Integrity protections: change controls, anti‑malware, allow‑listing, and checks to prevent inappropriate alteration of ePHI.
• Transmission security: strong encryption in transit and at rest, key management, and secure protocols aligned with electronic transmission standards.
• Person/entity authentication to verify users, services, and devices.

Business Associate Agreements

A Business Associate Agreement (BAA) formalizes how a BA may use and disclose PHI and the safeguards it must maintain. You must have a signed BAA before sharing PHI.

Required elements

• Permitted and required uses/disclosures and a prohibition on other uses/disclosures.
• Obligation to implement safeguards that meet the HIPAA Security Rule and to limit uses/disclosures to the minimum necessary.
• Prompt reporting of security incidents and suspected breaches, including content and timing expectations.
• Flow‑down of the same restrictions and safeguards to subcontractors.
• Availability of PHI for access, amendment, and accounting as applicable.
• Return or secure destruction of PHI at termination, if feasible.
• Right to terminate for material breach and cooperation with HHS investigations.

Common enhancements

• Encryption and logging requirements, incident response SLAs, and breach cost allocation.
• Cyber insurance, penetration testing cadence, and notification channels for urgent events.

Breach Notification Procedures

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security. If ePHI is properly encrypted or destroyed consistent with HHS guidance, it is not “unsecured,” and breach notification is generally not required.

Steps to follow

• Identify and contain: stop the incident, preserve evidence, and protect ongoing operations.
• Assess risk: evaluate the nature and extent of PHI involved, who received it, whether it was actually viewed or acquired, and the extent of mitigation.
• Decide and document: if there is more than a low probability of compromise, treat it as a breach and record your analysis and actions.
• Notify timely: provide written notice to affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• Notify HHS: for 500+ affected in a state or jurisdiction, notify HHS contemporaneously; for fewer than 500, log and report to HHS within 60 days after year‑end.
• Notify media: if 500+ individuals in a state or jurisdiction are affected, notify prominent media outlets.
• BA to CE notice: business associates must notify the covered entity without unreasonable delay, enabling the CE to meet its deadlines.
• Content of notices: describe what happened, the types of data involved, steps individuals should take, what you are doing to mitigate harm, and whom to contact.
• Coordinate with state law: apply the stricter rule when state breach notification timelines or content differ.

Conclusion

Distinguishing PHI from ePHI clarifies scope: PHI covers all forms; ePHI triggers the HIPAA Security Rule’s administrative safeguards, physical protections, and technical safeguards. Covered entities set governance, train the workforce, manage vendors, and use electronic transmission standards. Business associates implement equivalent controls under a strong Business Associate Agreement. When incidents occur, a documented assessment and timely breach notification protect individuals and ensure compliance.

FAQs.

What distinguishes PHI from ePHI?

PHI is individually identifiable health information in any form—paper, oral, or digital—held by a covered entity or business associate. ePHI is simply PHI in electronic form, such as data in EHRs, portals, email, backups, or connected devices; ePHI is subject to specific safeguards under the HIPAA Security Rule.

How must covered entities protect ePHI?

You must implement a risk‑based security program with administrative safeguards, physical safeguards, and technical safeguards; enforce minimum‑necessary access; train your workforce; secure transmissions and storage (e.g., encryption and strong authentication); log and monitor activity; plan for backups and recovery; and manage vendors through a signed Business Associate Agreement.

What are the obligations of business associates under HIPAA?

Business associates must comply with the Security Rule, use or disclose PHI only as permitted by their Business Associate Agreement, limit access to the minimum necessary, extend safeguards to subcontractors, maintain logs and support patient rights processes as applicable, and report security incidents and potential breaches to the covered entity without unreasonable delay.

When is breach notification required?

If an impermissible use or disclosure of unsecured PHI presents more than a low probability of compromise, you must notify affected individuals without unreasonable delay and no later than 60 days after discovery; notify HHS (timing depends on the number affected) and, for large incidents, the media. Properly encrypted or destroyed PHI generally falls outside breach notification requirements.