What Is Not Considered Electronic PHI (ePHI)? Examples and Guidance

Definition of Electronic PHI

Electronic PHI (ePHI) is protected health information that is created, received, maintained, or transmitted in electronic form. The core test is whether the data is both health-related and individually identifiable health information (IIHI) and whether it resides in or moves through electronic media.

Electronic media include storage (servers, hard drives, SSDs, mobile devices, cloud repositories) and electronic media transmission (internet, VPNs, leased lines, secure messaging, email, texts, patient portals). If PHI touches these media, it is ePHI and falls under HIPAA Security Rule requirements as part of HIPAA compliance.

Certain transmissions are not considered electronic media for HIPAA purposes: a paper-to-paper fax and a live, unrecorded telephone conversation. However, if you scan a document to PDF, use eFax that stores images, record voicemail, or capture a screen/photo of a chart, you have created ePHI.

Examples of Non-Electronic PHI

These items are PHI but not ePHI because they are not electronic. They remain subject to the HIPAA Privacy Rule and Breach Notification Rule, but not the Security Rule’s technical safeguard requirements.

• Paper medical charts, printed lab reports, and consent forms stored in file cabinets.
• Radiology film and analog photographs that are never digitized.
• Whiteboards or bedside door cards showing patient names or procedures.
• Face-to-face conversations between clinicians and patients.
• Voice-only phone calls that are not recorded and leave no electronic trace.
• Paper-to-paper fax transmissions where neither side stores a digital copy.

The moment you digitize any of the above—scan, photograph, record, or type into a system—it becomes ePHI and must be protected accordingly.

De-Identified Health Information

De-identified data is not PHI and therefore is not ePHI, even when stored or transmitted electronically. Under HIPAA’s de-identification standards, you can remove identifiers using either expert determination or the safe harbor method that removes specified direct identifiers.

Examples of data that are typically de-identified include aggregate outcome dashboards that show no patient-level granularity, counts by service line with sufficient cell sizes, and datasets where direct identifiers (for example, names, full addresses, phone numbers, Social Security numbers, medical record numbers) are removed and remaining risk is very small. Under safe harbor, additional rules apply, such as grouping ages 90 and above together and limiting ZIP codes to 3 digits when population thresholds are met.

Remember: a limited data set is still PHI (and can be ePHI) because it may include dates and some location data under a data use agreement. Only fully de-identified data falls outside HIPAA. If you plan to re-link or re-identify, treat the data as PHI and segment it appropriately.

Employment and Educational Records

Covered entity employment records are not PHI, even if they contain health details. Examples include FMLA paperwork, disability accommodations, vaccination tracking for staff, drug screening results, and workers’ compensation files maintained by HR or occupational health in the employer role. If an employee is also a patient, their clinical record is PHI/ePHI in the provider role, but the employer’s HR file is not.

FERPA educational records—student education records maintained by schools—are not PHI and therefore not ePHI. School nurse records and student health clinic files maintained as part of the education record fall under FERPA, not HIPAA. By contrast, treatment records held by a health care component that is not part of an educational record may be HIPAA-regulated.

Professional Staff Information

Information about your workforce that does not identify a patient is not PHI. Examples include provider directories with business contact details, staff schedules, credentialing files, quality or productivity dashboards that contain no patient-level identifiers, and training records. These datasets may still be sensitive, but they are not IIHI and therefore not PHI or ePHI.

Be careful with mixed-use files. For instance, a quality report that embeds patient MRNs or dates of service becomes PHI/ePHI. Use data segmentation to keep patient identifiers out of operational reports when they are not necessary.

Compliance and Regulatory Considerations

HIPAA compliance spans multiple rules. The HIPAA Privacy Rule and Breach Notification Rule apply to PHI in any form, while the HIPAA Security Rule applies only to ePHI. That means a breach of paper PHI can still be a reportable HIPAA breach, even though Security Rule controls (like encryption) do not apply to the paper itself.

Key boundary lines to apply consistently:

• Electronic media transmission (email, secure messaging, EDI claims, texts, portals, cloud sync) makes PHI into ePHI.
• Paper-to-paper fax and live, unrecorded voice calls do not create ePHI.
• De-identified datasets are outside HIPAA; limited data sets are still PHI.
• Covered entity employment records and FERPA educational records are not PHI/ePHI.

Use data segmentation to separate ePHI from non-ePHI and from non-PHI. Segment systems, storage locations, and access permissions so that staff only see the minimum necessary for their role and so that non-ePHI repositories are not inadvertently populated with patient identifiers.

Handling Non-ePHI Data

Even though non-ePHI falls outside the Security Rule, you should manage it deliberately to prevent accidental conversion to ePHI and to meet other obligations (for example, labor laws or FERPA). Treat it as part of your overall information governance program.

• Inventory and classify. Label repositories as PHI/ePHI, non-ePHI PHI (paper/oral), non-PHI sensitive, or public.
• Prevent accidental digitization. Avoid photographing whiteboards, scanning paper charts, or using eFax for paper-only workflows unless you intend to handle the result as ePHI.
• Apply appropriate safeguards. Lock file rooms, control keys, supervise shredding, and restrict copy/print of PHI. For electronic systems that contain only non-PHI, still apply role-based access and audit trails as good practice.
• Use data segmentation. Keep operational reports, staff files, and education records in separate systems and folders from ePHI, with distinct access policies and retention rules.
• Manage vendors. Confirm whether a tool will store or transmit PHI; if so, treat outputs as ePHI and execute appropriate agreements before use.
• Train and monitor. Teach staff the ePHI boundary (paper vs. electronic, de-identified vs. limited data set) and audit for drift.

Bottom line: ePHI is about form and identifiability. If information is electronic and includes individually identifiable health information, it is ePHI. If it is paper-only, de-identified, an employment record of a covered entity, or a FERPA educational record, it is not ePHI—though it may still be regulated and must be handled with care.

FAQs

What types of information are excluded from ePHI protections?

Excluded categories include PHI that exists only in non-electronic form (paper records, unrecorded conversations, paper-to-paper faxes), fully de-identified datasets, covered entity employment records kept in the employer role, and FERPA educational records. These may still be regulated, but they are not ePHI and therefore are not subject to the HIPAA Security Rule.

How is de-identified data treated under HIPAA?

Once data meets HIPAA de-identification standards—via safe harbor removal of specified identifiers or expert determination that re-identification risk is very small—it is no longer PHI and is not ePHI, even when stored or transmitted electronically. If re-identification is possible or intended, treat the data as PHI and segregate it accordingly.

Can employment records of covered entities be classified as ePHI?

No. Covered entity employment records are not PHI, so they cannot be ePHI. However, if an employee receives clinical care as a patient, the clinical record is PHI/ePHI; the employer’s HR file for that same individual remains a separate, non-PHI employment record.

What distinguishes ePHI from other health information?

Two elements: the data must be individually identifiable health information, and it must be created, received, maintained, or transmitted electronically. Electronic media transmission (email, portals, texts, EDI) or electronic storage makes PHI into ePHI. Paper-only materials and unrecorded voice conversations do not.