What’s the Difference Between PHI and ePHI Under HIPAA?

Understanding what separates PHI from ePHI helps you apply the right privacy and security controls. In short, PHI covers identifiable health information in any format, while ePHI is that same information when created, stored, transmitted, or received electronically—bringing the HIPAA Security Rule into full effect.

This guide clarifies both terms, maps them to the HIPAA Privacy Rule and HIPAA Security Rule, shows real‑world examples, and highlights practical steps—like Data Encryption and ongoing Risk Assessment—to keep your organization compliant and patients protected.

Definition of PHI

Protected Health Information (PHI) is individually identifiable health information held or transmitted by a covered entity or its business associate in any form—paper, verbal, or electronic. It relates to a person’s past, present, or future physical or mental health condition, the provision of care, or payment for care, and either identifies the individual or can reasonably be used to identify them.

Common identifiers that make health information PHI include names, addresses, full‑face photos, dates of birth, phone numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, device identifiers, and biometric data. Paper charts, printed lab results, and a provider’s spoken handoff about a patient all count as PHI.

Excluded from PHI are de‑identified datasets that meet HIPAA de‑identification standards, education records covered by FERPA, and employment records a covered entity maintains in its role as employer.

Definition of ePHI

Electronic Protected Health Information (ePHI) is PHI that is created, received, maintained, or transmitted in electronic form. If the medium is electronic—EHR systems, e‑prescribing platforms, secure messaging, patient portals, imaging archives, cloud backups, or even server logs that contain identifiers—then it is ePHI.

Because ePHI exists in digital ecosystems, it is directly governed by the HIPAA Security Rule. That means specific Administrative Safeguards, Physical Safeguards, and Technical Safeguards must be in place to protect confidentiality, integrity, and availability across endpoints, networks, and storage.

HIPAA Privacy Rule Requirements

The HIPAA Privacy Rule sets standards for how PHI—regardless of format—may be used and disclosed. It defines permitted uses for treatment, payment, and healthcare operations; requires valid authorization for most other uses; and mandates the “minimum necessary” standard to limit unnecessary exposure.

Patients have rights under the Privacy Rule, including the right to access and obtain copies of their records, request amendments, receive an accounting of certain disclosures, and obtain a Notice of Privacy Practices. Covered entities must designate a privacy official, train their workforce, maintain policies and procedures, and execute Business Associate Agreements with vendors that handle PHI.

De‑identification options and role‑based access policies are key Privacy Rule mechanisms that help you share data responsibly while reducing risk.

HIPAA Security Rule Safeguards

The HIPAA Security Rule applies to ePHI and requires a comprehensive, ongoing security program built on Risk Assessment and risk management. Controls are grouped into Administrative Safeguards, Physical Safeguards, and Technical Safeguards.

Administrative Safeguards

• Perform an enterprise‑wide Risk Assessment and implement risk management plans; review and update regularly.
• Assign security responsibility, define workforce security, and manage information access based on least privilege.
• Develop and enforce security policies, workforce training, sanctions, and a security incident response process.
• Plan for contingencies: data backup, disaster recovery, and emergency mode operations.

Physical Safeguards

• Control facility access; document procedures for visitor management and equipment placement.
• Define workstation use and security to prevent shoulder surfing and unauthorized viewing.
• Implement device and media controls, including secure disposal, re‑use procedures, and chain of custody.

Technical Safeguards

• Unique user identification, strong authentication, and automatic logoff.
• Access controls and audit controls to monitor activity and detect anomalies.
• Integrity controls to prevent improper alteration or destruction of ePHI.
• Transmission security with Data Encryption and protections against unauthorized interception.

Encryption is an “addressable” control under the Security Rule, but in practice it is expected wherever feasible—at rest and in transit—to mitigate breach risk and satisfy the standard of due diligence.

Examples of PHI and ePHI

PHI (non‑electronic examples)

• Paper intake forms listing a patient’s diagnosis and insurance number.
• Printed lab results paired with a name and date of birth.
• A clinician’s verbal report that identifies a patient by name and condition.

ePHI (electronic examples)

• EHR entries, e‑prescriptions, digital imaging (PACS), and scanned documents containing identifiers.
• Emails or secure messages with treatment details; patient portal data and telehealth session notes.
• Cloud backups, mobile app records, server logs, and device telemetry that include identifiers.

The content can be identical; the medium determines whether PHI is also ePHI. Once electronics are involved, the HIPAA Security Rule applies in addition to the Privacy Rule.

Compliance Challenges

• Blended workflows: the same record may exist on paper, in an EHR, and in cloud storage, complicating controls.
• Remote work and BYOD increase endpoint exposure; mobile device management and containerization become essential.
• Third‑party vendors and APIs require thorough due diligence, Business Associate Agreements, and continuous monitoring.
• Legacy systems, unpatched devices, and medical IoT create attack surfaces that strain Technical Safeguards.
• Human factors—phishing, misdirected emails, and misconfigured access—undercut even strong policies.
• Documentation burden: sustaining Risk Assessment cycles, audit logs, and incident response evidence over time.

Importance of Data Protection

Robust data protection safeguards patient trust, supports uninterrupted care, and reduces legal, financial, and reputational risk. When you align the HIPAA Privacy Rule and HIPAA Security Rule, you both restrict unnecessary data use and harden systems that store and move ePHI.

Prioritize layered controls: role‑based access, continuous monitoring, strong authentication, Data Encryption at rest and in transit, secure disposal, and tested backups. Reinforce them with recurring Risk Assessment, staff training, vendor oversight, and a live incident response plan. This defense‑in‑depth approach keeps confidentiality, integrity, and availability front and center.

FAQs.

What information is considered PHI under HIPAA?

PHI is any health‑related information that identifies an individual or could reasonably identify them, held or transmitted by a covered entity or business associate. It includes clinical details and common identifiers such as names, addresses, dates of birth, contact details, medical record and insurance numbers, biometric data, and full‑face photos, across paper and verbal formats as well as digital media.

How does ePHI differ from general PHI?

ePHI is simply PHI in electronic form—created, stored, transmitted, or received via digital systems like EHRs, portals, email, mobile apps, servers, or cloud services. While the Privacy Rule governs all PHI, ePHI also triggers the HIPAA Security Rule’s Administrative, Physical, and Technical Safeguards.

What security measures are required for ePHI?

Organizations must conduct a Risk Assessment and implement appropriate safeguards: access controls, authentication, audit logging, integrity protections, secure transmission, contingency planning, workforce training, facility and device protections, and policies and procedures. Data Encryption at rest and in transit is strongly recommended to reduce breach risk.

Why is protecting ePHI critical for healthcare entities?

ePHI concentrates sensitive data in systems that are attractive to attackers. Strong protections prevent unauthorized access, ensure accurate and available records for patient care, and help avoid regulatory penalties and reputational damage. Effective security also streamlines interoperability and supports patient trust in digital health services.