What Is Not ePHI? Electronic PHI Examples and Non-Examples Explained

Electronic protected health information (ePHI) covers identifiable health details that a HIPAA-covered entity or its business associate creates, receives, stores, or transmits in electronic form. Knowing what falls outside that boundary helps you minimize risk, scope systems correctly, and focus controls where they matter. Below, you’ll find clear explanations and examples of what is not ePHI, grounded in the HIPAA Privacy Rule, Data De-identification Standards, and adjacent regimes like FERPA Compliance.

De-identified Health Information

Health data that has been de-identified so that no individual can be reasonably identified is not ePHI. Under the HIPAA Privacy Rule, de-identification can be achieved by either: (1) removing specified identifiers (the “Safe Harbor” approach), or (2) having a qualified expert determine and document that the risk of re-identification is very small (the “Expert Determination” approach). Both are recognized Data De-identification Standards.

Examples of non-ePHI after proper de-identification include:

• Aggregated outcomes dashboards showing infection rates by year and 3-digit ZIP code (with small-population ZIPs masked) where individuals cannot be singled out.
• Research datasets with dates limited to year and all direct identifiers removed, supported by a documented expert assessment.
• Anonymized Health Data used for algorithm training when re-identification risk has been reduced to a very small probability.

Be cautious with partial measures. Simply hashing names, using codes that can be re-linked, or removing only obvious identifiers rarely qualifies as de-identification. If a covered entity or business associate can readily re-link the data to a person, it remains PHI when in their possession.

Employment Records

Employer Health Information maintained by an employer in its role as an employer is not PHI, and thus not ePHI—even if it contains medical details. These are employment records, not healthcare records handled by a covered entity for treatment, payment, or operations.

Common non-ePHI employment records include:

• Pre-employment physical results kept in HR files (not by the provider for clinical purposes).
• FMLA, ADA, or workers’ compensation forms maintained by the employer.
• Fitness-for-duty certifications stored in an HR system.

However, if the same individual’s information is held by a group health plan, insurer, or provider for care or payment, that copy is PHI/ePHI. The role of the holder determines status.

Educational Records Under FERPA

Student health records that are part of a school’s education record under FERPA are not PHI and therefore not ePHI. FERPA Compliance governs these records, such as immunizations recorded by a school nurse, hearing/vision screenings, or clinic visits maintained by the school for educational purposes.

Key points:

• Education records and certain treatment records maintained by a school are excluded from HIPAA and handled under FERPA.
• If a hospital or external clinic (a HIPAA-covered provider) treats a student and maintains the record, that record is PHI—even if the student is also a pupil.
• When in doubt, ask: Is the record maintained by a FERPA-covered institution as an education or treatment record? If yes, it is not PHI.

Personal Health Records on Devices

Personal health data you keep solely in consumer apps or on wearables—outside a HIPAA-covered relationship—is generally not ePHI. Examples include step counts in a fitness tracker, diet logs in a standalone app, or heart-rate trends saved to your phone when no covered entity or business associate is involved.

Consider these nuances:

• If a provider or health plan directs you to an app operated on its behalf (e.g., a patient portal app), data in that environment may be ePHI.
• When you later share app data with a provider, the copy the provider receives may become ePHI in the provider’s system.
• Regardless of HIPAA scope, practice Personal Health Records Security—use strong authentication, encrypt device backups, and review app permissions.

Non-health Related Financial Data

Financial information that does not relate to health care or payment for health care—and is not created or held by a covered entity or business associate for such purposes—is not ePHI. This Non-PHI Financial Information includes:

• Bank statements, payroll records, and general credit card transaction histories unrelated to medical billing.
• FICO scores, mortgage applications, and tax returns not used for healthcare operations.

Borderline examples help clarify scope:

• A personal credit card charge to a pharmacy is not ePHI by itself; it’s a financial record outside a covered entity’s systems. Contextual inferences don’t convert it to PHI.
• An Explanation of Benefits issued by a health plan is PHI/ePHI because it reflects payment for health care by a covered entity.

Distinguishing ePHI From Other Data

Use this quick test to determine status:

• Who holds the data? If it’s a HIPAA-covered entity (provider, health plan, clearinghouse) or a business associate, continue.
• What is the data about? It must relate to an individual’s past, present, or future physical/mental health, care, or payment.
• Is the person identifiable? Directly or indirectly (alone or in combination), the individual can be identified.
• Is it electronic? If yes, it’s ePHI; if not electronic, it may still be PHI but not ePHI.

Common gray areas:

• Pseudonymized datasets a covered entity can re-link are still PHI; truly de-identified datasets are not.
• Device identifiers, IP addresses, or cookies become PHI within patient portals if they can be tied to an identifiable patient and relate to care or payment.
• Employer-held medical notes are not PHI, while the same notes in a provider’s EHR are PHI/ePHI.

Compliance Implications of Non-ePHI

Labeling information as “not ePHI” narrows HIPAA obligations but does not eliminate compliance duties. Other laws may apply—FERPA for student records, state consumer privacy laws, FTC rules for certain health apps, or GLBA for financial institutions. Treat non-ePHI with care by applying proportionate safeguards and documenting your rationale.

Practical steps

• Classify systems and datasets by role (covered entity/business associate versus employer/consumer/provider-agnostic).
• Apply de-identification methods that meet recognized standards and keep expert determinations on file.
• Use data minimization and strong access control even for non-ePHI; good security hygiene reduces breach impact.
• Align vendor contracts with the data type—Business Associate Agreements for PHI/ePHI; appropriate commercial or data-processing terms for non-ePHI.

Conclusion

Not all health-related data is ePHI. De-identified datasets, employment records, FERPA-governed student files, consumer device logs, and general financial information typically fall outside HIPAA’s electronic PHI scope. Evaluate who holds the data, what it describes, whether a person is identifiable, and the form of the data. With these criteria—and attention to parallel laws—you can right-size your privacy and security program.

FAQs

What qualifies as electronic protected health information?

ePHI is individually identifiable health information that a HIPAA-covered entity or its business associate creates, receives, maintains, or transmits in electronic form, and that relates to an individual’s health status, provision of care, or payment for care. The holder’s role, the health-related purpose, identifiability, and electronic medium all matter.

How is de-identified information defined under HIPAA?

HIPAA recognizes two Data De-identification Standards: Safe Harbor (removal of specific identifiers like names, full-face photos, and precise dates) and Expert Determination (a qualified expert documents that the re-identification risk is very small). Properly de-identified data is not PHI or ePHI.

Are employment health records considered ePHI?

No. Medical information kept by an employer in its capacity as an employer—such as FMLA forms or fitness-for-duty notes—is not PHI/ePHI. If the same information is held by a provider, health plan, or their business associate for care or payment, that copy is PHI/ePHI.

What types of personal health records are excluded from ePHI?

Consumer health data stored only in personal apps, wearables, or devices—without involvement of a HIPAA-covered entity or business associate—is generally not ePHI. If you share that data with a provider or use an app operated on a covered entity’s behalf, those copies may become ePHI.