What Is ePHI? A Practical Guide for Covered Entities and Business Associates

ePHI Definition

Core concept

Electronic Protected Health Information (ePHI) is individually identifiable health information that you create, receive, maintain, or transmit in electronic form. It links a person to their health status, care, or payment and includes any record held in EHRs, billing platforms, patient portals, mobile apps, or cloud storage.

Common examples of ePHI

• Names, addresses, phone numbers, email addresses, or IP/device identifiers when tied to health data.
• Medical record numbers, account/claim numbers, prescription details, lab results, images, and encounter notes.
• Insurance member IDs, scheduling data, telehealth recordings, and wearable-generated readings associated with a patient.

What ePHI is not

Data de-identified under HIPAA (safe harbor or expert determination) is not ePHI. A limited data set remains PHI and, if electronic, is still ePHI subject to applicable safeguards and agreements.

Covered Entities Overview

Who is a covered entity

Covered Entities include health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in covered transactions. If you fall into one of these categories, you are directly responsible for protecting ePHI.

Your responsibilities for ePHI

• Implement the HIPAA Security Rule to preserve the confidentiality, integrity, and availability of ePHI.
• Apply minimum necessary access, role-based permissions, and workforce training with enforceable policies.
• Execute a Business Associate Agreement with each vendor that handles ePHI, including Cloud Service Providers.

Business Associates Roles

Who qualifies as a business associate

A Business Associate performs services for a Covered Entity that involve creating, receiving, maintaining, or transmitting ePHI. Examples include EHR vendors, billing firms, IT support, data destruction services, analytics providers, and telehealth or messaging platforms.

Cloud Service Providers and “no-view” services

Cloud Service Providers that store or process ePHI are Business Associates—even if the data is encrypted and the provider cannot see it. You must have a Business Associate Agreement and verify their safeguards align with the HIPAA Security Rule.

Minimum necessary and data flows

Map how ePHI moves between you and your Business Associates. Limit access to the minimum necessary, log disclosures, and require subcontractors to meet the same protections through written flow-down obligations.

HIPAA Security Rule Requirements

Guiding objective

The HIPAA Security Rule requires safeguards to ensure the confidentiality, integrity, and availability of ePHI; protect against reasonably anticipated threats or impermissible uses/disclosures; and ensure workforce compliance.

Administrative safeguards

• Security management process: conduct a Risk Analysis and manage identified risks.
• Assign a security official; train workforce; apply sanctions for violations.
• Develop policies, procedures, and contingency plans (backup, disaster recovery, emergency mode operations).
• Vendor oversight: Business Associate management and due diligence.

Physical safeguards

• Facility access controls and visitor management.
• Workstation use and security standards, including remote work practices.
• Device and media controls: inventory, secure disposal, re-use sanitization, and encryption of portable media.

Technical safeguards

• Access controls: unique user IDs, strong authentication, and automatic logoff.
• Encryption and transmission security for data in transit and at rest where risk dictates.
• Audit controls: centralized logging, monitoring, and alerting.
• Integrity controls to prevent improper alteration or destruction of ePHI.

Required vs. addressable

“Addressable” specifications are not optional; you must implement them if reasonable and appropriate, or document a suitable alternative that achieves comparable risk reduction.

Risk Analysis Procedures

Step-by-step approach

• Scope the environment: inventory systems, APIs, data stores, mobile devices, and Cloud Service Providers that handle ePHI.
• Identify threats and vulnerabilities: technical misconfigurations, phishing, ransomware, insider misuse, third-party risks, and physical hazards.
• Evaluate likelihood and impact to rate risks (e.g., high/medium/low) and prioritize remediation.

Documenting and mitigating risks

• Maintain a living risk register with owners, due dates, and chosen controls.
• Apply compensating controls such as MFA, network segmentation, encryption, patching, backups, and incident response playbooks.
• Test controls through audits, tabletop exercises, and technical assessments.

Ongoing cadence

Review and update your Risk Analysis at least annually and whenever you adopt new technology, change vendors, suffer an incident, or significantly alter workflows.

Business Associate Agreements

Purpose and scope

A Business Associate Agreement (BAA) defines how a vendor may use and protect ePHI and sets enforceable obligations under HIPAA. Each Business Associate and its subcontractors that handle ePHI must be bound by a BAA.

Essential BAA elements

• Permitted and required uses/disclosures and the minimum necessary standard.
• Safeguards aligned to the HIPAA Security Rule, including encryption, access control, and logging.
• Breach reporting “without unreasonable delay,” with a defined maximum (no later than 60 days), and required incident details.
• Subcontractor flow-down, individual rights support (access and amendments), and accounting of disclosures.
• HHS access for compliance review, termination for material breach, and return or destruction of ePHI at contract end.

Due diligence and monitoring

Evaluate a vendor’s security program, independent reports (e.g., SOC 2), architecture, and incident history. Reassess periodically, especially for Cloud Service Providers and other high-impact Business Associates.

Breach Notification Rule

What counts as a breach

A breach is an impermissible acquisition, access, use, or disclosure of unsecured ePHI that compromises privacy or security. Conduct a documented four-factor assessment (data sensitivity, unauthorized recipient, whether it was actually viewed/acquired, and mitigation) to decide if notification is required.

Notification timelines and recipients

• Individuals: without unreasonable delay and no later than 60 calendar days after discovery.
• HHS: for 500+ affected in a state/jurisdiction, within 60 days of discovery; for fewer than 500, no later than 60 days after the end of the calendar year.
• Media: if 500+ individuals are affected in a state/jurisdiction.
• Business Associates notify the Covered Entity without unreasonable delay (BAAs often require a shorter internal deadline).

Content of notifications

• A description of the incident and dates of breach and discovery.
• Types of ePHI involved (e.g., names, MRNs, Social Security numbers).
• Steps individuals should take to protect themselves.
• Actions taken to mitigate harm and prevent recurrence, plus contact information.

Safe harbor and encryption

If ePHI is properly encrypted or destroyed so it is unusable, unreadable, or indecipherable to unauthorized persons, the incident may not be a reportable breach. Strong encryption and disciplined key management materially reduce risk and notification exposure.

Key takeaways

ePHI protection hinges on a current Risk Analysis, pragmatic controls under the HIPAA Security Rule, and robust Business Associate Agreements. Plan ahead with tested incident response so you can meet the Breach Notification Rule’s timelines with clarity and confidence.

FAQs

What types of information are considered ePHI?

Any electronic record that links a person to health status, care, or payment—paired with one or more identifiers—counts as ePHI. Examples include medical record numbers, claims, lab results, images, prescriptions, device or IP identifiers tied to health data, and demographic details used in a clinical or billing context.

How do business associates handle ePHI compliantly?

They execute a Business Associate Agreement, perform a Risk Analysis, and implement administrative, physical, and technical safeguards such as access controls, encryption, audit logging, backups, and incident response. They also train staff, enforce minimum necessary use, manage subcontractors, and report incidents promptly.

What are the main HIPAA Security Rule requirements for ePHI?

You must ensure confidentiality, integrity, and availability of ePHI through administrative safeguards (risk management, training, policies), physical safeguards (facility, workstation, device controls), and technical safeguards (access control, encryption, audit and integrity controls, transmission security), with documented decisions on addressable items.

How is a breach of ePHI reported?

First, assess the incident using the four-factor test. If notification is required, inform affected individuals without unreasonable delay and within 60 days, notify HHS per thresholds, and notify media if 500+ individuals in a state are affected. Business Associates notify the Covered Entity promptly with all known details.