Understanding ePHI: Scope, Examples, and Documentation Requirements Under HIPAA

Electronic Protected Health Information (ePHI) sits at the center of HIPAA compliance. This guide clarifies what counts as ePHI, illustrates common examples, explains the scope you must manage, outlines documentation and data retention requirements, and details risk analysis and security safeguards—along with what’s outside ePHI coverage.

Definition of Electronic Protected Health Information

ePHI is any individually identifiable health information that is created, received, maintained, or transmitted in electronic form by a HIPAA covered entity or business associate. It links to a person (directly or indirectly) and relates to their health status, care, or payment for care.

• Individually identifiable: includes names, IDs, addresses, contact details, or other data points that reasonably identify a person.
• Health-related: diagnoses, treatment details, prescriptions, lab results, billing and claims data, care coordination notes, and similar content.
• Electronic media: stored or sent via EHRs, databases, cloud platforms, mobile devices, email, portals, imaging systems, backups, and audit archives.
• Lifecycle-wide: covered whether the data is at rest, in transit, or in use, including temporary files, caches, and replicas.

Examples of Electronic Protected Health Information

These common items qualify as ePHI when they include or can be linked to an individual:

• EHR records containing demographics, medical histories, allergies, and care plans.
• Digital claims, remittance files, and eligibility transactions tied to a member ID.
• Lab and imaging results (e.g., DICOM files) with patient identifiers.
• Secure portal messages, telehealth notes, and recorded consults linked to the patient.
• Care management spreadsheets or registries that combine conditions and identifiers.
• Pharmacy dispensing logs or e-prescriptions referencing a specific individual.
• Remote patient monitoring feeds (e.g., glucometer, cardiac telemetry) associated with a patient account.
• System logs, tickets, and audit trails that include patient IDs, MRNs, or other identifiers alongside clinical or billing context.
• Encrypted backups, archives, and disaster recovery images that store patient-identifiable health data.

Scope of Electronic Protected Health Information

Your scope encompasses every place ePHI is created, stored, processed, or transmitted—regardless of location or technology. Think beyond the EHR to the full ecosystem.

• Data states: at rest (databases, files, backups), in use (applications, analytics), and in transit (email, APIs, SFTP, VPNs); apply transmission security for all external and internal transfers.
• Assets and endpoints: servers, virtual machines, containers, workstations, mobile devices, medical devices, and removable media.
• Cloud and vendors: IaaS/PaaS/SaaS, colocation, MSPs, and any business associate that handles ePHI.
• Work patterns: remote work, bring-your-own-device, and shared workstations or kiosks.
• Data flows: integrate ePHI mapping into your risk analysis scope to capture APIs, interfaces, batch jobs, and ad hoc exports.
• Lifecycle: creation and ingestion, daily operations, archival and retrieval, and secure disposal per data retention requirements.

Documentation Requirements for ePHI

HIPAA expects written, consistently maintained compliance documentation that proves how you protect ePHI and that you follow what you wrote. Keep documents current, approved, and readily retrievable.

• Policies and procedures: administrative safeguards, physical safeguards, and technical safeguards; access control; transmission security; incident response; contingency and disaster recovery.
• System inventory and data classification: where ePHI resides, its sensitivity, owners, and approved uses.
• Risk analysis and risk management plan: methods, results, prioritized remediation, and due dates covering the full risk analysis scope.
• Workforce program: training content, completion records, role-based access, sanction policy enforcement, and periodic refresh cycles.
• Vendor management: business associate agreements, security due diligence, onboarding, monitoring, and offboarding artifacts.
• Access governance: authorization forms, role definitions, approval logs, periodic reviews, and revocation records.
• Auditability: logging standards, retention schedules, review procedures, and investigation records.
• Technical baselines: encryption standards, key management, endpoint hardening, secure configurations, and change management evidence.
• Contingency planning: backup schedules, restoration tests, failover runbooks, and test results.
• Data retention requirements: documented retention periods for policies, logs, BAAs, training, and other artifacts, plus verified disposal procedures.

Retention period: keep HIPAA-required documentation for at least six years from the date of creation or the date last in effect, whichever is later. Some contracts or state laws may require longer retention—reflect this in your retention schedule.

Risk Analysis for ePHI

A defensible risk analysis is the engine of your HIPAA Security Rule program. It must be systematic, repeatable, and comprehensive.

1. Define the risk analysis scope: systems, applications, data stores, APIs, vendors, and data flows that touch ePHI.
2. Inventory assets and map ePHI: identify repositories, integrations, and transmissions, including backups and temporary locations.
3. Identify threats and vulnerabilities: human error, phishing, lost devices, misconfigurations, unpatched software, ransomware, and third-party failures.
4. Assess existing controls: administrative safeguards, physical safeguards, and technical safeguards currently in place.
5. Evaluate likelihood and impact: rate risks consistently; translate to a prioritized remediation plan with owners and timelines.
6. Implement and track mitigation: apply controls, verify effectiveness, and update residual risk ratings.
7. Document and review: maintain clear compliance documentation; re-run analysis upon significant changes, incidents, or on a defined cadence.

Security Safeguards for ePHI

Safeguards work best as a coordinated set of administrative, physical, and technical measures aligned to your risk posture and operations.

Administrative safeguards

• Governance: designate a security official, define roles, and formalize policies and procedures.
• Access management: least privilege, role-based access control, approval workflows, and regular access reviews.
• Training and awareness: onboarding, annual refreshers, and targeted modules for high-risk roles.
• Risk management: track remediation, exceptions, and acceptance decisions with documented rationale.
• Vendor oversight: business associate agreements (BAAs), security due diligence, and continuous monitoring of business associates.
• Contingency planning: tested backups, disaster recovery, and emergency operations procedures.

Physical safeguards

• Facility access controls: badges, visitor management, surveillance, and environmental protections.
• Workstation security: secure placement, automatic logoff, privacy screens, and clean-desk practices.
• Device and media controls: inventory, encryption, chain-of-custody, secure reuse, and verified destruction.

Technical safeguards

• Access control: unique user IDs, multi-factor authentication, session timeouts, and just-in-time privileges.
• Audit controls: centralized logging, immutable storage, correlation, and alerting on anomalous activity.
• Integrity controls: hashing, digital signatures, and change detection for critical data and configurations.
• Person or entity authentication: strong authentication for users, services, and APIs.
• Transmission security: TLS for all data in motion, VPN or private connectivity for sensitive links, secure email or patient portals, and managed key exchanges.
• Encryption at rest: modern algorithms, robust key management, and backup encryption.
• Endpoint and application security: patching, EDR, secure configuration baselines, code reviews, and dependency checks.
• Data loss prevention: content inspection, egress controls, and tokenization or pseudonymization where feasible.

Exclusions from ePHI Coverage

Not everything you touch is ePHI. These categories fall outside ePHI, though other laws may still apply:

• De-identified data that cannot reasonably identify a person (e.g., data meeting HIPAA de-identification methods).
• Paper-only or oral PHI (still PHI under HIPAA, but not electronic).
• Employment records held by a covered entity in its role as an employer.
• Education records and certain student treatment records governed by FERPA.
• Consumer health information collected by apps or devices not offered by, or on behalf of, a covered entity or business associate.
• Aggregated operational metrics that contain no individual identifiers or linkable keys.

In short, define ePHI precisely, map where it resides and flows, maintain strong safeguards, and keep complete, verifiable records. Doing so makes HIPAA compliance repeatable and auditable while protecting patient trust.

FAQs.

What types of information qualify as ePHI under HIPAA?

Any electronically created, received, maintained, or transmitted health information that can identify an individual and relates to their health, care, or payment qualifies as ePHI. This includes identifiers (like name or member ID) combined with clinical or billing details across systems, messages, files, logs, and backups.

How should organizations document their ePHI policies?

Maintain written policies and procedures aligned to HIPAA’s administrative, physical, and technical safeguards. Use version control, approvals, and review cycles; map policies to controls; keep training records, access reviews, incident and audit logs, BAAs, and contingency test results. Store everything in centralized compliance documentation so you can demonstrate implementation on demand.

What are the key technical safeguards for protecting ePHI?

Strong access control with MFA and least privilege; encryption at rest and in motion; transmission security (TLS, VPN, secure email or portals); audit logging and monitoring; integrity protections; secure configurations and patching; endpoint protection; and data loss prevention with sound key management.

How long must ePHI compliance documentation be retained?

Retain HIPAA-required documentation for at least six years from creation or last effective date, whichever is later. If contracts or state rules specify longer data retention requirements, follow the longer period and reflect it in your retention schedule.