What Counts as ePHI? Definition, Scope, and Safeguards for Organizations

ePHI Definition and Identifiers

Electronic protected health information (ePHI) is individually identifiable health information that a Covered Entity or Business Associate creates, receives, maintains, or transmits in electronic form. It relates to an individual’s past, present, or future physical or mental health or condition, the provision of care, or payment for care, and it either identifies the person or could reasonably be used to identify them. The HIPAA Privacy Rule establishes what qualifies as PHI, while the HIPAA Security Rule sets protections for ePHI.

Electronic media include EHR systems, databases, imaging archives, email, secure messaging, mobile devices, wearables that sync to clinical systems, cloud storage, backups, and network transmissions such as APIs and telehealth sessions. If the content is PHI and it is in electronic form, it is ePHI.

HIPAA’s 18 identifiers make health information “individually identifiable.” If any of these are present (alone or in combination), the electronic information is ePHI:

• Names
• Geographic subdivisions smaller than a state (e.g., street address, city, ZIP code)
• All elements of dates (except year) related to an individual (e.g., birth, admission, discharge, death) and ages over 89
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers (including license plates)
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (e.g., fingerprints, voiceprints)
• Full-face photos and comparable images
• Any other unique identifying characteristic or code

Scope of ePHI in Healthcare

ePHI spans the full life cycle of care and operations: registration and scheduling, clinical documentation, e-prescribing, imaging, laboratory systems, patient portals, telehealth platforms, billing, utilization management, and revenue cycle workflows. It also includes less obvious places such as error logs, audit trails, metadata, data science workspaces, help-desk tickets, voicemail or call recordings, and email threads that discuss a patient.

Coverage follows the role of the organization. Covered Entities include health plans, most health care providers that conduct standard electronic transactions, and health care clearinghouses. Business Associates are vendors that create, receive, maintain, or transmit ePHI on behalf of Covered Entities—such as cloud providers, EHR vendors, billing companies, and analytics firms. If a vendor handles ePHI, a Business Associate Agreement is required.

Some information that may appear health-related is not ePHI. Employment records held by a provider in its role as an employer, education records protected by FERPA, and properly de-identified data are outside HIPAA’s PHI scope. Consumer health data handled solely by non-covered apps may fall outside HIPAA but could be regulated by other laws; once that data is shared with a Covered Entity or Business Associate and becomes part of care, it can become ePHI.

De-identified Information and ePHI Distinction

De-identified information is not ePHI. HIPAA permits two de-identification methods. Under the “Safe Harbor” method, you must remove all 18 identifiers and have no actual knowledge that remaining information could identify an individual. Under the “Expert Determination” method, a qualified expert documents that the risk of re-identification is very small and describes methods used to reach that conclusion.

Pseudonymized data is not necessarily de-identified; if a code can re-link the data to an individual and the key exists, the dataset is still PHI. A Limited Data Set, which excludes direct identifiers but may include dates and some geography, remains PHI and requires a Data Use Agreement. Always validate that downstream analytics, testing, and AI development environments receive data that matches the intended identifiability level.

HIPAA Security Rule Requirements

The HIPAA Security Rule requires you to ensure the confidentiality, integrity, and availability of ePHI. It is risk-based and technology-neutral, organized into administrative, physical, and technical safeguards. Some specifications are “required” and others are “addressable.” Addressable does not mean optional; you must implement the control if reasonable and appropriate, or document an equivalent alternative based on your risk analysis.

Core obligations include conducting risk assessments, implementing measures to reduce risks to a reasonable and appropriate level, managing Business Associates through contracts, training your workforce, documenting policies and procedures, and evaluating your program periodically. Transmission Security is an explicit technical standard, requiring mechanisms to protect ePHI in transit against unauthorized access or alteration.

Administrative Safeguards for ePHI Protection

Administrative safeguards translate policy into practice and accountability. Focus on the following implementation standards and their specifications:

• Security management process: perform and document risk assessments; implement risk management plans; review system activity (logs, audit trails); apply sanctions for policy violations.
• Assigned security responsibility: designate a security official with authority to drive the program.
• Workforce security and information access management: authorize, establish, and terminate access; apply the minimum necessary standard in coordination with the HIPAA Privacy Rule.
• Security awareness and training: security reminders, phishing and social engineering training, protection against malicious software, login monitoring, and secure password practices.
• Security incident procedures: detect, respond, mitigate, and document incidents; feed lessons learned back into your controls.
• Contingency planning: data backup plans, disaster recovery, and emergency mode operations; test and revise; identify critical applications to prioritize restoration.
• Evaluation: conduct periodic technical and nontechnical evaluations to keep safeguards aligned with risks and changes.
• Business Associate management: execute, monitor, and enforce Business Associate Agreements; confirm downstream subcontractors protect ePHI.
• Documentation: maintain, update, and retain security policies, procedures, and evidence (often six years or more, per policy) to demonstrate compliance.

Physical Safeguards in Healthcare Settings

Physical safeguards protect facilities, devices, and workspaces where ePHI resides. They are essential in clinics, hospitals, data centers, and remote or hybrid work environments.

• Facility access controls: authorize and log physical access; maintain visitor procedures; support emergency access during outages.
• Workstation use and security: define acceptable use; position screens to reduce shoulder-surfing; enable automatic screen locks; secure remote workstations.
• Device and media controls: inventory hardware; track movement of devices; securely dispose of or re-use media (wiping, degaussing, shredding); enable remote wipe for lost or stolen mobile devices.
• Environmental and utility protections: maintain locks, cameras, and intrusion detection; protect against water, fire, and power disruptions; keep maintenance records.

Technical Safeguards and Encryption Standards

Technical safeguards manage access, monitor activity, and protect ePHI in systems and networks. Access control should provide unique user IDs, role- and attribute-based access, strong authentication (preferably multi-factor), emergency access procedures, and automatic logoff. Apply least privilege consistently across applications, databases, APIs, and admin consoles.

Encryption is an addressable specification but is expected whenever reasonable and appropriate. Use NIST Encryption Standards, such as FIPS 140-3 validated cryptographic modules and NIST-approved algorithms (e.g., AES for data at rest and TLS for data in transit). Protect keys with sound key management practices, including rotation, segregation of duties, and hardware-backed storage when feasible.

Audit controls and integrity protections are critical. Centralize logging, time-synchronize systems, and monitor for anomalies. Validate data integrity with checksums or digital signatures where warranted. Implement person or entity authentication to verify users and service accounts, and document how identities are proofed and lifecycle-managed.

Transmission Security requires protecting ePHI as it moves across networks. Use TLS 1.2 or higher for web and API traffic, secure email (e.g., enforced TLS or message-level encryption), VPNs for remote access, and secure messaging platforms that provide end-to-end encryption and robust identity assurance. For APIs, rely on modern authorization patterns (such as OAuth 2.0 and OpenID Connect), server-side token validation, and certificate management.

Harden the broader ecosystem: patch systems promptly, segment networks, scan for vulnerabilities, back up data with encryption and periodic restoration tests, and review third-party risk. Apply mobile and endpoint protections, including disk encryption, application allowlisting, and mobile device management. These measures, combined with policy and training, demonstrate a comprehensive HIPAA Security Rule program.

In short, identify what counts as ePHI, minimize its exposure, and apply layered administrative, physical, and technical safeguards—anchored in ongoing risk assessments—to maintain confidentiality, integrity, and availability while supporting care delivery.

FAQs

What information qualifies as ePHI?

ePHI is any electronically stored or transmitted PHI that a Covered Entity or Business Associate creates, receives, maintains, or transmits. It links health-related content to a person through one or more of HIPAA’s 18 identifiers, such as name, medical record number, dates of service, or device identifiers.

How does de-identified information differ from ePHI?

De-identified data is not ePHI because it no longer identifies an individual. You can achieve this by removing all 18 HIPAA identifiers under the Safe Harbor method with no actual knowledge of re-identification risk, or by obtaining an Expert Determination that the re-identification risk is very small. Pseudonymized or Limited Data Set information can still be PHI if a code or remaining fields can re-link it to a person.

What safeguards are required by HIPAA for ePHI protection?

HIPAA’s Security Rule requires administrative, physical, and technical safeguards. Practically, this means documented risk assessments and risk management, workforce training, access controls with unique IDs and MFA, audit logging and monitoring, integrity protections, contingency planning and backups, and Transmission Security using encryption based on NIST Encryption Standards where reasonable and appropriate.

What are the consequences of an ePHI breach?

Consequences can include patient harm and loss of trust, regulatory investigations, breach notification and remediation costs, contractual exposure with Business Associates, and significant civil penalties. You may face corrective action plans, audits, and long-term monitoring. Strong preventative controls and an exercised incident response plan reduce both likelihood and impact.