What Is ePHI? Checklist to Classify, Protect, and Document Patient Data

Definition of ePHI

Electronic protected health information (ePHI) is any individually identifiable health information created, received, maintained, or transmitted in electronic form by a covered entity or business associate. It relates to a person’s health status, care, or payment and includes identifiers that could reasonably link the data to that individual.

The HIPAA Privacy Rule defines what qualifies as protected health information (PHI), while the Security Rule sets requirements for safeguarding ePHI. If data has been de-identified using approved De-Identification Protocols, it is no longer PHI and falls outside HIPAA’s scope.

Quick classification checklist

• Does the data relate to an individual’s health, care, or payment?
• Is there a reasonable basis to identify the person (one or more identifiers present)?
• Is it created, received, maintained, or transmitted electronically?
• Is your organization a covered entity or business associate for the data flow?
• If you answered “yes” to all, treat the data as ePHI and document the classification.

De-Identification Protocols

To remove data from HIPAA scope, apply either the expert determination method or the Safe Harbor method that removes specified identifiers. Keep a record of the method used, tests performed, and any re-identification risk controls you maintain.

Examples of ePHI

Use these practical examples to recognize ePHI in your environment and prioritize protections accordingly.

• Electronic health record entries, problem lists, allergies, vitals, and clinical notes.
• Lab results, imaging files and DICOM headers, medication histories, and care plans.
• Claims, authorizations, eligibility inquiries, and revenue-cycle attachments.
• Patient portal messages, telehealth session recordings, intake forms, and e-prescriptions.
• Device and app data tied to a person, such as wearable metrics when linked to identity.
• System artifacts like audit logs, backups, and metadata that include patient identifiers.

What is not ePHI

• Data de-identified under approved De-Identification Protocols with documented residual risk analysis.
• Aggregated statistics that cannot be traced to an individual.
• Workforce employment records and education records regulated by other laws.
• Limited data sets are still PHI; treat them as ePHI when in electronic form.

HIPAA Compliance Requirements

To handle ePHI lawfully, you must align with the HIPAA Privacy Rule, the Security Rule, and the Breach Notification Rule. Together they govern permissible uses and disclosures, risk-based safeguards, and OCR Breach Notification duties after incidents involving unsecured ePHI.

Core obligations

• Perform an enterprise-wide risk analysis and implement risk management actions.
• Apply minimum necessary use and disclosure standards and maintain role-based Access Control Measures.
• Adopt written policies, procedures, and training for workforce members.
• Execute and manage business associate agreements (BAAs) with vendors touching ePHI.
• Implement Administrative, Physical, and Technical Safeguards proportionate to risk.
• Maintain documentation for at least six years and conduct regular evaluations.

Documentation to maintain

• Risk analysis reports, asset inventories, data flow maps, and Data Integrity Policies.
• Security and privacy policies, procedures, and sanction policies.
• Training records, access reviews, and audit logs.
• BAAs, vendor due diligence evidence, and incident/breach logs with decisions.

Administrative Safeguards

Security management process

• Identify threats and vulnerabilities, score risk, and track mitigation to closure.
• Define a sanction policy for violations and a process to handle security incidents.

Access Control Measures

• Use least privilege, role-based access, and documented approvals for elevated rights.
• Provision unique user IDs; require multi-factor authentication for sensitive functions.
• Conduct periodic access recertifications and remove access promptly upon role changes.

Workforce security and training

• Onboard with policy acknowledgment and targeted training by role.
• Reinforce phishing awareness, data handling, and incident reporting procedures.
• Define termination checklists to recover badges, devices, and credentials.

Contingency planning

• Maintain backup, disaster recovery, and emergency mode operations plans.
• Test restore procedures, document recovery time objectives, and review results.

Vendor and BAA management

• Assess vendors’ controls before onboarding; require BAAs when ePHI is in scope.
• Monitor vendor performance and security posture, including incident reporting terms.

Data Integrity Policies and change control

• Define how ePHI is created, updated, validated, and reconciled across systems.
• Use change management for code, configuration, and database updates affecting ePHI.

Physical Safeguards

Facility access controls

• Restrict data center and server room access; maintain visitor logs and access reviews.
• Use badge systems, alarms, cameras, and environmental protections.

Workstations and devices

• Apply screen locks, privacy filters, and secure workstation placement.
• Harden endpoints, disable boot-from-external-media, and secure network ports.

Device and media controls

• Keep inventories of servers, laptops, removable media, and mobile devices.
• Encrypt, track custody, and sanitize or destroy media before reuse or disposal.

Portable and remote use

• Enforce full-disk encryption and remote wipe on laptops and mobile devices.
• Set policies for home and travel use; prohibit local storage when feasible.

Technical Safeguards

Access Control Measures

• Enforce least privilege, just-in-time access, and privileged access management.
• Implement session timeouts, automatic logoff, and emergency access procedures.

Encryption Standards

• Use strong, modern encryption for data at rest (for example, AES-256) with managed keys.
• Rotate keys, separate duties, and restrict key access; avoid hard-coded secrets.

Transmission Security Controls

• Protect data in transit with TLS 1.2+ for web, secure email options, and VPNs for admin paths.
• Disable weak ciphers, enforce HSTS, and validate certificates and mutual authentication where appropriate.

Audit controls and monitoring

• Log authentication, access, query, and data change events across systems.
• Centralize logs, set alerts for anomalous activity, and review regularly.

Data Integrity Policies and validation

• Use checksums, hashing, and application validations to detect unauthorized changes.
• Maintain versioning, write-once backups, and reconciliations between systems.

Authentication and session security

• Adopt strong authentication (for example, MFA with phishing-resistant methods where possible).
• Protect sessions with secure cookies, short lifetimes, and refresh token hygiene.

Breach Notification Procedures

Determine whether an incident is a breach

A breach is an impermissible use or disclosure that compromises the security or privacy of unsecured ePHI. Conduct a four-factor risk assessment considering data sensitivity, who received it, whether it was actually viewed or acquired, and the extent of mitigation. If data was encrypted under appropriate Encryption Standards and keys were not compromised, the incident may not be a reportable breach.

Immediate response checklist

• Contain the incident, isolate affected systems, and preserve forensic evidence.
• Notify internal leadership and initiate your incident response plan.
• Document facts, decisions, and timelines from the first hour onward.

Whom to notify and when

• Notify affected individuals without unreasonable delay and no later than 60 days after discovery.
• Notify the U.S. Department of Health and Human Services via OCR Breach Notification within required timelines.
• If the breach affects 500 or more individuals in a state or jurisdiction, notify prominent media in that area.
• For fewer than 500 individuals, maintain a breach log and submit to OCR no later than 60 days after the end of the calendar year.
• Business associates must notify the covered entity as specified in the BAA, promptly and with sufficient detail to support downstream notices.

Required notice content

• What happened and when it was discovered.
• Types of information involved (for example, names, diagnoses, prescriptions).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• Contact information for questions and assistance.

Post-incident improvement

• Close gaps, update policies, and retrain workforce members as needed.
• Enhance controls across Access Control Measures, Transmission Security Controls, and Data Integrity Policies.
• Record the full incident lifecycle and lessons learned for audits and continuous improvement.

Conclusion

Classifying data accurately, enforcing layered safeguards, and documenting every decision are the foundations of ePHI protection. Use the checklists here to operationalize HIPAA’s Privacy, Security, and Breach Notification requirements and reduce risk across your environment.

FAQs.

What constitutes electronic protected health information?

ePHI is PHI in electronic form that can be tied to an individual and relates to health, care, or payment. If identifiers are present and a covered entity or business associate creates, receives, maintains, or transmits it electronically, treat it as ePHI unless it has been de-identified using approved De-Identification Protocols.

How does HIPAA regulate ePHI security?

The HIPAA Privacy Rule governs permissible uses and disclosures, while the Security Rule requires risk-based Administrative, Physical, and Technical Safeguards. You must apply Access Control Measures, Encryption Standards, Transmission Security Controls, audit logging, and Data Integrity Policies, and you must document your program and training.

What are the key administrative safeguards for ePHI?

Perform and maintain a risk analysis, manage risks, define policies and sanctions, train the workforce, and manage vendors via BAAs. Enforce least privilege and access reviews, plan for contingencies, and document Data Integrity Policies and change control for all systems handling ePHI.

How should a breach of ePHI be reported?

After containment and a risk assessment, notify affected individuals without unreasonable delay and within 60 days of discovery. Report through OCR Breach Notification as required, notify media for large breaches, and log smaller breaches for annual submission. Business associates must inform the covered entity per the BAA with timely, actionable details.