What’s the Difference Between PHI and ePHI? Compliance Explained

Definition of PHI

Protected Health Information (PHI) is Individually Identifiable Health Information about a person’s past, present, or future physical or mental health, the care they receive, or the payment for that care. It is considered PHI when created, received, maintained, or transmitted by Covered Entities or their Business Associates.

PHI includes any health-related data that can reasonably identify the individual, whether the information is on paper, spoken, or stored electronically. De-identified data that removes specified identifiers is not PHI, and neither are education records under FERPA or an employer’s own employment records.

Definition of ePHI

Electronic Protected Health Information (ePHI) is simply PHI in electronic form. If the content qualifies as PHI, it becomes ePHI the moment it is stored, processed, or transmitted electronically—whether in an EHR, patient portal, email, mobile device, server, or cloud backup.

ePHI covers data at rest, in use, and in transit. Scans of paper charts, database exports, API payloads, audit logs, and even voice recordings saved as files are ePHI when they contain PHI.

Regulatory Framework

HIPAA sets the foundation for protecting PHI and ePHI. The HIPAA Privacy Rule governs how PHI may be used and disclosed and what rights individuals have over their information. The HIPAA Security Rule establishes safeguards for protecting ePHI specifically.

Covered Entities (providers, plans, clearinghouses) and their Business Associates must comply. Written Business Associate Agreements allocate responsibilities, and state laws that are more protective than HIPAA still apply. The HITECH Act strengthened enforcement and breach notification for unsecured PHI and ePHI.

HIPAA Privacy Rule

The Privacy Rule defines permitted uses and disclosures of PHI, the “minimum necessary” standard, and the circumstances that require patient authorization. It applies to PHI in any medium—paper, oral, or electronic.

You must provide a Notice of Privacy Practices, limit uses to the minimum necessary, and train your workforce on privacy policies. Individuals have rights to access, obtain copies, request amendments, receive an accounting of disclosures, and request reasonable restrictions.

HIPAA Security Rule

The Security Rule applies only to ePHI and requires a risk-based program built on Administrative, Physical, and Technical Safeguards. Some implementation specifications are “required” and others are “addressable,” but you must document how you implement or reasonably justify alternatives.

Administrative Safeguards

• Conduct an enterprise-wide risk analysis and implement a risk management plan.
• Designate a security official and establish written policies, procedures, and sanctions.
• Manage workforce security with role-based access, training, and ongoing awareness.
• Develop contingency plans, including data backup, disaster recovery, and emergency operations.
• Execute Business Associate Agreements and oversee vendors that handle ePHI.

Physical Safeguards

• Control facility access and monitor physical entry to areas with systems housing ePHI.
• Secure workstations and portable devices; prevent viewing by unauthorized persons.
• Implement device and media controls for inventory, reuse, transfer, and secure disposal.

Technical Safeguards

• Access controls with unique user IDs, strong authentication, and least-privilege permissions.
• Audit controls to log and review access and activity affecting ePHI.
• Integrity controls to prevent improper alteration or destruction of ePHI.
• Transmission security and encryption to protect ePHI in transit and, as prudent, at rest.

Examples of PHI

PHI spans identifiers and health details that can tie back to a person. Common examples include:

• Demographic identifiers: name, full address, phone, email, Social Security number.
• Medical identifiers: medical record numbers, account numbers, prescription and device serial numbers, full-face photos, biometrics.
• Clinical and billing content: diagnoses, lab results, imaging, treatment plans, claim and member numbers, payment details related to care.
• Digital markers linked to health services: IP addresses, device IDs, and cookies when associated with patient portals or care interactions.

De-identified data, limited data sets with data use agreements, and aggregated statistics that cannot reasonably identify a person are not PHI.

Compliance Requirements for ePHI

Effective ePHI compliance aligns security controls to your documented risks and business realities. Focus on these essentials:

• Perform and update a formal risk analysis; track remediation with clear owners and timelines.
• Write, implement, and periodically review security and privacy policies and procedures.
• Enforce role-based access, unique IDs, multi-factor authentication, and session timeouts.
• Encrypt ePHI in transit and, based on risk, at rest; manage keys securely and rotate them.
• Enable audit logging and regular reviews; alert on anomalous access and data exfiltration.
• Harden systems, patch promptly, and baseline configurations; segment networks hosting ePHI.
• Back up ePHI, test restores, and maintain a disaster recovery and business continuity plan.
• Control endpoints and removable media; inventory devices and sanitize or destroy media at end-of-life.
• Vet vendors, sign Business Associate Agreements, and monitor third-party performance.
• Train your workforce initially and at least annually; test with drills and phishing simulations.
• Establish incident response and breach notification processes, with clear decision trees and timelines.
• Document everything—risk decisions, exceptions, safeguards, training, and assessments.

Summary

PHI is the content; ePHI is that same content in electronic form. The HIPAA Privacy Rule governs when PHI can be used or disclosed, while the HIPAA Security Rule sets how you protect ePHI through Administrative, Physical, and Technical Safeguards. Build a risk-driven program, prove it with documentation, and keep improving.

FAQs.

What distinguishes PHI from ePHI?

PHI is Individually Identifiable Health Information in any format—paper, oral, or electronic. ePHI is PHI specifically stored, processed, or transmitted electronically. Both are subject to the HIPAA Privacy Rule, while the HIPAA Security Rule applies only to ePHI.

What safeguards are required for ePHI?

You must implement Administrative, Physical, and Technical Safeguards. That includes risk analysis and management, policies and training, facility and device protections, access controls, authentication, audit logging, integrity controls, and transmission security—typically with strong encryption and least-privilege access.

How does HIPAA regulate PHI and ePHI?

The HIPAA Privacy Rule sets when PHI may be used or disclosed and grants individuals rights over their information. The HIPAA Security Rule requires a risk-based security program to protect ePHI. Together they ensure lawful use and strong protection across care, payment, and operations.