What Does "Electronically Protected" Mean? Definition, HIPAA, and Examples

Definition of ePHI

Electronically protected health information (ePHI) is Individually Identifiable Health Information that is created, received, maintained, or transmitted in electronic form by a HIPAA covered entity or business associate. If data can identify a person and relates to health status, care, or payment—and it exists on electronic media—it is ePHI.

Under HIPAA’s Security Rule, the duty is to protect the Confidentiality, Integrity, and Availability of ePHI. That obligation applies whether you store data on your own systems, use cloud services, or transmit information over networks you don’t control.

Electronic media defined

• Computer hard drives, solid-state drives, and removable media (USB, SD cards).
• Mobile devices and tablets used to access or store patient information.
• Network equipment, servers, virtual machines, and Cloud storage repositories.
• Transmission media such as the internet, private networks, Wi‑Fi, and VoIP when ePHI is sent across them.

What is not ePHI

• De-identified data that cannot reasonably identify an individual.
• Employment records a covered entity maintains in its role as an employer.
• Education records covered by FERPA.
• Paper-only records and analog phone conversations that are never stored electronically (still PHI, but not ePHI for Security Rule purposes).

Examples of ePHI

You interact with ePHI whenever identifiable patient data appears in an electronic context. The following common scenarios illustrate what qualifies.

• Clinical data: EHR entries, problem lists, allergies, medication histories, progress notes, lab results, and imaging files (DICOM, JPEG).
• Administrative and financial: Claims files, billing statements, eligibility checks, remittance advice, and prior authorization records.
• Communications: Patient portal messages, telehealth chat logs, voicemail transcriptions, secure emails with attachments, and eFax images.
• Devices and logs: Wearable and IoT health device readings linked to an identity, device identifiers, IP addresses, and audit logs tied to a medical record.
• Backups and derivatives: Encrypted database backups, replicated storage snapshots, exports for reporting, and temporary caches that hold PHI.

HIPAA Security Rule Requirements

HIPAA organizes security expectations around Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Your program should be risk-based, documented, and continuously improved to sustain Confidentiality, Integrity, and Availability.

Administrative Safeguards

• Perform a documented risk analysis and implement risk management plans.
• Assign security responsibility and define policies, procedures, and sanctions.
• Train the workforce on acceptable use, phishing, and incident reporting.
• Implement information access management and least-privilege authorization.
• Formalize business associate agreements that address ePHI handling.
• Plan for contingencies: data backup, disaster recovery, and emergency mode operations.
• Conduct periodic evaluations and audits of your security program.

Physical Safeguards

• Control facility access and secure server rooms and network closets.
• Protect workstations from unauthorized viewing and use.
• Manage device and media controls: inventory, movement tracking, reuse, and disposal.
• Apply secure disposal for Electronic Media Storage (shredding, degaussing, cryptographic erasure).

Technical Safeguards

• Access control: unique user IDs, role-based access, emergency access procedures, and automatic logoff.
• Audit controls: log authentication, access, changes, and transmissions; review logs routinely.
• Integrity: prevent improper alteration with hashing, digital signatures, and write-once archives.
• Authentication: verify users and entities with strong passwords and multi-factor authentication.
• Transmission security: encrypt data in transit (e.g., TLS), use message integrity checks, and segment networks.

Confidentiality, Integrity, Availability (CIA)

• Confidentiality: only authorized people or systems can view ePHI.
• Integrity: ePHI is accurate, complete, and protected from improper modification.
• Availability: ePHI is accessible and usable on demand through resilient systems.

Storage Media for ePHI

ePHI can reside across diverse Electronic Media Storage types. You need consistent protections wherever data lives, including endpoints, data centers, and cloud platforms.

• On-premises servers, SAN/NAS, and virtual machines hosting databases or file shares.
• Desktops, laptops, tablets, and smartphones used for clinical or billing tasks.
• Removable media: USB drives, SD cards, external hard drives, CDs/DVDs, and backup tapes.
• Cloud storage and SaaS applications, including EHRs and analytics workspaces.
• Email servers, message archives, and log repositories that contain ePHI derivatives.

Practical controls for electronic media storage

• Encrypt data at rest and manage keys securely (separation of duties, rotation, escrow).
• Apply least privilege, role-based access, and regular entitlement reviews.
• Use endpoint management (MDM/EMM), full-disk encryption, and remote wipe for mobiles.
• Monitor systems with centralized logging, alerting, and anomaly detection.
• Back up routinely, store copies offsite, and test restores to ensure Availability.
• Dispose of media securely with certified destruction or cryptographic erase.

Lifecycle considerations

• Procurement: vet vendors and document security controls for devices and cloud.
• Use and transfer: maintain chain-of-custody and encrypt data in motion and at rest.
• Reuse and disposal: sanitize, verify, and record the outcome before redeployment or destruction.

Transmission Methods for ePHI

When you transmit ePHI, choose channels that preserve Confidentiality and Integrity while keeping the data Available to authorized recipients. Your selections should follow a documented, risk-based approach.

Preferred channels

• Patient portals and secure messaging platforms with authenticated access.
• HTTPS/TLS web applications and APIs (including FHIR) with strong authentication.
• SFTP or secure file transfer gateways with encryption and auditing.
• VPNs for remote access and site-to-site connections.
• End-to-end encrypted email or secure email gateways with enforced TLS.

Conditionally acceptable with safeguards

• Standard email with enforced TLS and additional encryption for sensitive attachments; verify recipient identity.
• eFax services that store images electronically (treat as ePHI, secure at rest and in transit).
• Texting via approved, managed apps; avoid unsecured SMS for routine ePHI.
• VoIP calls recorded or transcribed into systems (those recordings are ePHI and must be secured).

Availability and integrity measures

• Use message integrity checks, replay protection, and signing where appropriate.
• Design for resilience with redundancy, failover, queuing, and bandwidth management.
• Log transmissions, monitor for anomalies, and document incident response procedures.

Conclusion

“Electronically protected” refers to PHI in digital form, and HIPAA’s Security Rule expects you to safeguard its Confidentiality, Integrity, and Availability through Administrative, Physical, and Technical Safeguards. If you know what qualifies as ePHI, where it’s stored, and how it moves, you can implement practical controls that measurably reduce risk.

FAQs.

What information qualifies as electronically protected under HIPAA?

Any Individually Identifiable Health Information in electronic form—created, received, maintained, or transmitted by a covered entity or business associate—qualifies as ePHI. It includes data about health conditions, care delivered, or payment, when it can identify a person directly or indirectly.

How does HIPAA ensure the security of electronically protected health information?

HIPAA’s Security Rule requires risk-based Administrative Safeguards, Physical Safeguards, and Technical Safeguards that protect the Confidentiality, Integrity, and Availability of ePHI. You must document policies, train staff, manage access, encrypt as appropriate, monitor activity, and plan for incidents and recovery.

What are common examples of electronically protected health information?

Typical examples include EHR records, lab and imaging results, digital prescriptions, billing and claims files, patient portal messages, telehealth chat logs, device readings from wearables tied to a patient, eFax images, and backups that contain identifiable clinical or billing data.