Real-World ePHI Scenarios: Examples to Help You Understand What Counts Under HIPAA

Understanding electronic protected health information (ePHI) helps you avoid unauthorized disclosure and design sensible safeguards. This guide uses real-world ePHI scenarios to clarify what qualifies as individually identifiable health information under HIPAA, who is responsible (covered entities and business associates), and how to manage risk without overcomplicating your operations.

Definition of Electronic Protected Health Information

ePHI is protected health information that is created, received, maintained, or transmitted in electronic form. It combines two elements: an individual identifier and health-related data about a person’s condition, care, or payment. HIPAA applies to covered entities (health plans, health care clearinghouses, and most health care providers) and to their business associates that handle ePHI on their behalf.

Key elements

• Electronic form: data stored or transmitted via computers, mobile devices, servers, cloud services, or digital media.
• Individually identifiable health information: any health data that can reasonably be linked to a specific person.
• Custodianship: held by a covered entity or a business associate acting for that entity.
• Purpose agnostic: clinical, billing, operational, or quality data all qualify if the information is identifiable and electronic.

De-identified data, certain employment records, and education records are not ePHI. Nuances and exclusions appear in the “Common Breaches and Exclusions” section below.

Examples of ePHI in Practice

Clinical and care delivery

• EHR notes, problem lists, allergies, and medication histories linked to a patient’s name or medical record number (MRN).
• Digital imaging and diagnostics (e.g., DICOM radiology studies) stored with patient identifiers.
• e-Prescriptions containing patient demographics and drug details transmitted to a pharmacy.
• Telehealth visit records, chat transcripts, or recordings tied to a patient account.

Billing, payment, and operations

• Claims files with health plan beneficiary numbers, diagnosis codes, dates of service, and account numbers.
• Patient statements emailed or posted to a portal showing services rendered and balances due.
• Eligibility and benefits verification files exchanged with payers through EDI or APIs.
• Quality dashboards that display outcomes for small cohorts where individuals could be re-identified.

Patient communications and coordination

• Appointment reminders that include the clinic, date, and condition-specific details linked to a named patient.
• Secure messages between patients and clinicians discussing test results or treatment plans.
• Care management spreadsheets stored in the cloud with names, phone numbers, and medical conditions.

Devices and remote monitoring

• Wearable or home-monitoring feeds (e.g., BP, glucose) integrated into the EHR under a patient record.
• Implantable device serial numbers mapped to patients and tracked for recalls or performance.

Contrast: consumer wellness app data that never goes to a covered entity or business associate is typically outside HIPAA, even if it feels “health-related.” Once the same data is collected, maintained, or transmitted by or for a covered entity, it becomes ePHI.

Identifiers Included in ePHI

HIPAA’s “individually identifiable health information” hinges on specific identifiers that can tie data to a person. Common identifiers include:

• Names.
• Geographic details smaller than a state (street, city, county, precinct, full ZIP; limited ZIP aggregation rules apply).
• All elements of dates (except year) related to birth, admission, discharge, death, and exact ages over 89.
• Telephone numbers.
• Fax numbers.
• Email addresses.
• Social Security numbers.
• Medical record numbers.
• Health plan beneficiary numbers.
• Account numbers.
• Certificate and license numbers.
• Vehicle identifiers and license plates.
• Device identifiers and serial numbers.
• Web URLs.
• IP addresses.
• Biometric identifiers (e.g., fingerprints, voiceprints).
• Full-face photographs and comparable images.
• Any other unique identifying number, characteristic, or code.

If any of these identifiers appear with health information in electronic form, you should treat the dataset as ePHI unless it has been properly de-identified.

Transmission Methods for ePHI

ePHI moves across many digital channels. Your controls should match the sensitivity and route.

• Secure email with TLS or S/MIME when exchanging results, referrals, or care plans.
• Patient portals and clinician messaging platforms for two-way communication and results delivery.
• EHR-to-EHR interfaces (HL7, FHIR APIs) for referrals, summaries of care, and device data ingestion.
• EDI over SFTP/VPN for claims, remits, and eligibility transactions.
• Cloud-based eFax services that create or store digital images of faxes (treated as ePHI).
• Traditional analog fax and voice telephone calls are not electronic transmissions under the Security Rule, but once digitized or stored electronically they become ePHI.
• Telehealth video/audio platforms and remote patient monitoring feeds.
• Automated backups/sync jobs between endpoints and cloud storage or disaster recovery sites.
• SMS/texting: high risk; if content contains identifiers plus health information, handle as ePHI and apply compensating controls or avoid.

Storage Solutions for ePHI

ePHI can reside nearly anywhere in your environment. Inventory and protect every location where it lands.

• EHR databases and application servers (on-premises or hosted).
• Cloud storage, data warehouses, and analytics platforms operating under a business associate agreement.
• Endpoint devices: laptops, tablets, smartphones with cached emails, apps, or downloads.
• Removable media: USB drives, external disks, camera cards, and medical device consoles.
• Document repositories and collaboration suites used for intake forms, referrals, and ROI workflows.
• Backups, archives, log collections, and disaster recovery replicas.
• Third-party billing, coding, transcription, and telehealth systems (business associates).

Apply data minimization: store only what you need, where you need it, for as long as required by policy or law.

Security Safeguards for ePHI

Administrative safeguards

• Risk analysis and risk management with documented remediation plans.
• Policies for access, minimum necessary use, incident response, and contingency operations.
• Workforce training, role-based access, sanctions, and ongoing awareness campaigns.
• Vendor due diligence and business associate agreements that define responsibilities and breach duties.
• Contingency plans: backups, disaster recovery, and emergency mode operations testing.

Physical safeguards

• Facility access controls and visitor management.
• Workstation security: secure locations, privacy screens, and automatic session lock.
• Device and media controls: inventory, encryption, re-use protocols, and verified destruction.

Technical protections

• Access controls: unique IDs, multi-factor authentication, least privilege, and automatic logoff.
• Encryption in transit (TLS) and at rest for servers, endpoints, and backups.
• Audit controls and logs with regular review, alerting, and retention.
• Integrity protections: checksums, write-once storage for critical logs, and tamper detection.
• Transmission security: secure protocols (HTTPS, SFTP, VPN) and strong key management.

Operational good practices

• Timely patching, configuration baselines, and vulnerability management.
• Network segmentation, zero-trust access, and data loss prevention.
• Phishing-resistant MFA, user education, and simulated exercises.
• Regular backup testing and recovery drills to reduce ransomware impact.

Common Breaches and Exclusions

Frequent breach scenarios

• Misdirected emails or attachments disclosing lab results to the wrong recipient (unauthorized disclosure).
• Lost or stolen unencrypted laptops and phones containing cached messages or spreadsheets.
• Misconfigured cloud storage exposing ePHI to the public internet.
• Compromised credentials via phishing leading to mailbox or portal takeover.
• Ransomware that encrypts servers and backups, causing downtime and potential data exfiltration.
• Improper use of personal messaging apps for care coordination without safeguards.
• Incorrect eFax numbers, printing stations, or shared copiers where ePHI is left unattended.

How to reduce risk

• Encrypt endpoints and enforce remote wipe; require phishing-resistant MFA for email and portals.
• Use DLP and address verification for outbound email; prefer secure portals for results.
• Harden cloud buckets by default deny, private networking, and continuous misconfiguration scanning.
• Implement privileged access management and monitor for anomalous logins.
• Maintain tested, offline-capable backups and well-practiced incident response playbooks.

What is not ePHI (exclusions and nuances)

• Properly de-identified data (safe harbor or expert determination) with identifiers removed.
• Limited data sets remain PHI but have fewer identifiers; handle under a data use agreement.
• Employment records held by a covered entity in its role as employer (e.g., FMLA forms in HR systems).
• Education records covered by FERPA.
• Consumer app data that never flows to a covered entity or business associate.

Key takeaways

• ePHI = identifiable health information in electronic form, held by covered entities or business associates.
• Map where ePHI is created, transmitted, and stored; then apply administrative, physical, and technical protections.
• Most breaches stem from basic lapses—misaddressed messages, weak access controls, or misconfigurations—so solve those first.

FAQs

What types of data qualify as ePHI under HIPAA?

Any electronic data that combines an individual identifier (such as a name, MRN, email, or IP address) with health-related information about condition, care, or payment is ePHI when handled by a covered entity or its business associates. Clinical records, billing files, portal messages, and device data integrated into the EHR are common examples.

How is ePHI typically transmitted and stored?

ePHI is transmitted via secure email, patient portals, EHR interfaces (HL7/FHIR), SFTP/EDI, telehealth platforms, and cloud-based eFax systems. It is stored in EHR databases, cloud repositories under a BAA, endpoint devices, collaboration suites, backups, and third-party systems used for billing, transcription, and remote monitoring.

What are common security measures to protect ePHI?

Use administrative safeguards (risk analysis, policies, training, vendor management), physical safeguards (facility and device controls), and technical protections (MFA, least privilege, encryption in transit and at rest, audit logging, integrity checks). Add operational practices like patching, segmentation, DLP, and tested backups.

What information is excluded from the definition of ePHI?

De-identified data, employment records held by a covered entity as an employer, education records covered by FERPA, and consumer app data that never reaches a covered entity or business associate are excluded. Limited data sets still constitute PHI but include fewer identifiers and must be governed by a data use agreement.