PHI vs ePHI: Storage, Transmission, and Access Controls Checklist

Understanding PHI vs ePHI helps you apply the right safeguards where they matter most. PHI covers identifiable health information in any form, while ePHI is PHI created, stored, or transmitted electronically—where most technical controls apply.

Use this practical checklist to harden storage, transmission, and access controls across your environment. It aligns with common HIPAA Security Rule expectations while emphasizing real-world implementation, Risk Analyses, and enforceable Procedural Mechanisms.

Access Control

Strong access control limits who can view or change ePHI and under what conditions. Build controls around identity, least privilege, and verifiable accountability for every access event.

Checklist

• Issue Unique User Identifiers for every user and service account; prohibit shared logins.
• Enforce role-based access control with least privilege and documented approvals.
• Require multi-factor authentication for administrative, remote, and high-risk access.
• Configure Automatic Logoff and session timeouts; lock screens on inactivity and re-authenticate on wake.
• Define and test Emergency Access Procedures (“break-glass”) with tight logging and post-event review.
• Implement network and application segmentation to isolate ePHI systems.
• Recertify access quarterly; disable orphaned or unused accounts promptly.
• Include access requirements in Business Associate Contracts for hosted or managed platforms.

Implementation Tips

• Automate provisioning and deprovisioning from HR events to reduce lag and error.
• Map permissions to job roles; use just-in-time elevation for rare administrative tasks.
• Vault privileged credentials, rotate them, and alert on anomalous use.
• Exercise break-glass accounts regularly and keep auditable compensating controls.

Audit Controls

Audit controls create an objective record of activity around ePHI. They enable detection, investigation, and proof of compliance when incidents occur.

Checklist

• Log authentication attempts, record views, create/update/delete actions, and data exports/prints.
• Capture admin actions, privilege changes, and all Emergency Access Procedures invocations.
• Synchronize time across systems; include user, Unique User Identifiers, patient, device, and source IP.
• Protect logs from tampering with write-once storage, hashing, and restricted access paths.
• Set retention to meet regulatory and policy requirements; document who can access which logs.
• Feed logs into a SIEM; implement real-time alerts for high-risk patterns.
• Define Procedural Mechanisms for routine review, escalation, and sanctions.
• Specify audit and retention duties in Business Associate Contracts.

Implementation Tips

• Standardize log formats and use correlation IDs to follow a transaction end-to-end.
• Run periodic integrity checks on log stores and validate alert efficacy with tabletop tests.
• Use audit findings to drive targeted Risk Analyses and remediation plans.

Integrity Controls

Integrity controls ensure ePHI is not altered or destroyed improperly. Combine technical safeguards with Procedural Mechanisms that authenticate data and trace provenance.

Checklist

• Use checksums, hashing, and digital signatures to detect unauthorized changes.
• Apply database constraints, immutable storage options, and versioning on records.
• Employ authenticated Encryption and Decryption (for example, AEAD) to protect both confidentiality and integrity.
• Enforce change control with peer review and documented approvals for schema and code changes.
• Validate inputs, restrict direct database access, and monitor file integrity.
• Verify backups by checksum and routine restore tests; compare to source data.
• Conduct periodic Risk Analyses focused on integrity threats and update safeguards accordingly.

Implementation Tips

• Sign critical documents at creation and re-verify signatures on retrieval or release.
• Record record-level provenance (who, what, when) and surface it in user workflows.

Transmission Security

Transmission security prevents interception or alteration of ePHI as it traverses networks. Focus on strong cryptography, key management, and channel-specific controls.

Checklist

• Enforce TLS 1.2+ (prefer TLS 1.3) with modern cipher suites for all web and API traffic.
• Use VPN/IPsec or TLS tunnels for site-to-site links and remote clinicians.
• Secure email via S/MIME or portal-based secure messaging; avoid unencrypted email and SMS for ePHI.
• Protect APIs with OAuth 2.0/OpenID Connect, scoped tokens, and mTLS where appropriate.
• Implement integrity checks (AEAD/MAC) and replay protections on protocols.
• Deploy DLP to detect and block unauthorized ePHI transmissions and file sharing.
• Document Encryption and Decryption key ownership, rotation, and escrow procedures.
• Include transmission, logging, and incident duties in Business Associate Contracts.
• Perform Risk Analyses on telehealth platforms, medical devices, and third-party communications.

Testing Notes

• Scan externally for TLS configuration issues and certificate problems.
• Continuously validate that insecure protocols and ciphers remain disabled.

Facility Access Controls

Facility controls protect the physical spaces where systems hosting ePHI reside. Limit physical access, verify visitors, and maintain resilience for emergencies.

Checklist

• Restrict access to data centers, IDF/MDF closets, and server rooms; lock racks and cabinets.
• Use badges, visitor logs, escorts, and CCTV with defined retention and review.
• Maintain environmental safeguards: UPS, generators, fire suppression, and monitoring.
• Define Emergency Access Procedures for facility entry during outages or disasters.
• Control device and media: secure transport, inventory, sanitization, and verified disposal.
• Assess colocations and cloud data centers; embed obligations in Business Associate Contracts.
• Conduct on-site physical Risk Analyses and remediate findings promptly.

Workstation Security

Workstations and mobile devices are common ePHI touchpoints. Standardize configurations, reduce local data, and enforce rapid lock and encryption.

Checklist

• Maintain an asset inventory and bind devices to users via Unique User Identifiers.
• Enable full-disk encryption and remote wipe on laptops and mobile devices.
• Configure Automatic Logoff and screen locks after defined inactivity; require re-authentication.
• Harden endpoints: timely patching, EDR/anti-malware, host firewalls, and application allowlisting.
• Minimize or eliminate local ePHI storage; use VDI or encrypted network shares when feasible.
• Limit local admin rights and block risky peripherals; monitor for data exfiltration.
• Apply MDM for mobile platforms and enforce containerization of clinical apps.
• Train users on secure handling, clean desk expectations, and phishing defense.

Data Backup and Storage

Backups and storage strategies preserve availability and recoverability of ePHI. Design for resilience, verifiable integrity, and strong key management.

Checklist

• Adopt a 3-2-1 backup strategy with at least one offline or immutable copy (for example, WORM/object lock).
• Encrypt ePHI at rest; manage Encryption and Decryption keys in HSM/KMS with separation of duties and rotation.
• Test restores regularly; define and meet RPO/RTO targets for critical systems.
• Validate backup integrity using checksums and periodic full-restore drills.
• Restrict storage access with least privilege and network segmentation; monitor anomalies.
• Back up audit logs and configuration as well as application data.
• Define retention schedules and legal holds; document secure archival and destruction.
• Include storage security, integrity validation, and incident support in Business Associate Contracts.
• Perform ongoing Risk Analyses to reassess storage tiers, locations, and providers.

Summary

PHI vs ePHI matters because electronic formats demand verifiable technical safeguards. By applying this checklist—access, audit, integrity, transmission, facility, workstation, and storage—you reduce risk, demonstrate due diligence, and sustain trust in every interaction with patient data.

FAQs

What is the main difference between PHI and ePHI?

PHI is individually identifiable health information in any form. ePHI is PHI that is created, stored, maintained, or transmitted electronically. The HIPAA Security Rule primarily targets ePHI with technical and physical safeguards, while privacy requirements apply to PHI in all formats.

How are access controls implemented for ePHI?

You implement access controls by issuing Unique User Identifiers, enforcing role-based permissions, requiring multi-factor authentication, configuring Automatic Logoff, and defining Emergency Access Procedures. Recertify access regularly and ensure Business Associate Contracts bind vendors to equivalent controls and auditing.

What security measures protect ePHI during transmission?

Use strong encryption in transit (TLS 1.2+/1.3), VPN or IPsec tunnels, and secure email or portals instead of standard email or SMS. Apply integrity protections, manage keys for Encryption and Decryption, enable DLP to prevent leaks, and confirm these obligations in Business Associate Contracts following channel-specific Risk Analyses.

How is audit control applied to ePHI systems?

Audit control means logging access and actions on ePHI, protecting logs from tampering, retaining them per policy, and actively reviewing alerts. Define Procedural Mechanisms for routine review and escalation, and require vendors to meet the same logging standards through Business Associate Contracts.