Which Data Is Not Considered ePHI? A Practical Compliance Guide

Understanding what falls outside the scope of electronic protected health information (ePHI) is essential for right-sizing controls, avoiding over-restriction, and focusing safeguards where they matter. Under HIPAA, context determines whether data is ePHI: who holds it, for what purpose, and whether it identifies an individual. Below, you’ll find clear exclusions, gray areas, and practical steps to stay compliant.

De-identified Health Information

What qualifies as de-identified

Data is not considered ePHI when it has been properly de-identified so that individuals are no longer identifiable. HIPAA permits two pathways: the Safe Harbor method (removing specific identifiers) and the Expert Determination method (documenting a very small risk of re-identification). Properly de-identified protected health information is outside HIPAA’s scope.

Key boundaries to respect

• Health data anonymization must be robust and documented; weak masking or simple pseudonyms are not enough.
• A limited data set (with dates, city, or ZIP code) is still PHI and therefore ePHI when electronic.
• If you retain a re-identification key and can readily link back, treat the dataset as PHI unless controls prevent re-identification in practice.

Practical controls

• Use a formal de-identification protocol with peer review or expert sign-off.
• Store re-identification keys separately with strict access controls and audit trails.
• Set release thresholds (for example, suppress small cell sizes) to reduce residual risk.

Employment Records

When employee data is not ePHI

Covered entity employment records—when held by a covered entity in its role as employer—are not ePHI. Typical examples include FMLA certifications, pre-employment physical results retained by HR, drug test outcomes for hiring, ADA accommodation documentation, and return-to-work notes maintained in personnel files.

Edge cases to watch

• If the same information resides in the provider’s clinical system, that copy is PHI/ePHI because it supports treatment, payment, or operations.
• Keep HR systems and clinical systems separate; do not sync employee health documents into the HIPAA designated record set unless clinically necessary.

Practical controls

• Maintain separate repositories for HR and clinical records with distinct access rights.
• Label and route employee health documents to HR, not the EHR, unless used for care.
• Train staff on the difference between covered entity employment records and clinical PHI.

Educational Records

FERPA-covered data is not ePHI

Educational records and certain student treatment records maintained by schools or districts are governed by FERPA rather than HIPAA. School nurse files, immunization documentation kept by the school, and counseling records maintained for educational purposes are not considered ePHI.

When ePHI can still arise

• If a community provider treats a student and maintains records in its EHR, those records are PHI/ePHI even if a copy is shared with the school.
• If a university clinic discloses student treatment records beyond treatment providers, those records can lose their FERPA treatment-record status and may intersect with HIPAA obligations.

Practical controls

• Map data flows between schools and external providers; define which regime (FERPA or HIPAA) applies at each handoff.
• Avoid storing school-originated files inside a covered entity’s designated record set unless needed for clinical purposes.

Personal Health Records

Direct-to-consumer PHRs are typically outside HIPAA

Personal Health Records maintained by individuals or consumer apps that are not acting on behalf of a covered entity or business associate are not ePHI. This includes wellness apps and wearable device data stored solely by a consumer-facing company. Such information may be subject to other laws but is not HIPAA PHI.

When a PHR becomes ePHI

• If a PHR or patient portal is provided by, or on behalf of, a covered entity or its business associate, the data is PHI/ePHI.
• Integration that routes consumer data into a provider’s EHR or designated record set can convert it into PHI.

Practical controls

• Clarify whether a PHR vendor acts on behalf of your organization; if yes, execute a BAA and apply HIPAA safeguards.
• Label patient-submitted consumer-generated data on ingest; apply PHI rules if it enters clinical workflows.

Psychotherapy Notes

Special protection, not a blanket exclusion

Psychotherapy notes receive heightened protection under HIPAA, but they are still PHI—and ePHI when electronic. The “psychotherapy notes exclusion” refers to their exclusion from the HIPAA right of access and from most uses/disclosures without specific authorization; it does not remove them from the definition of PHI.

What’s a psychotherapy note vs. regular clinical information

• Psychotherapy notes: a therapist’s separate, private notes analyzing the content of counseling sessions.
• Not psychotherapy notes: medication details, start/stop times, modalities, test results, diagnosis, treatment plan, symptoms, prognosis, and progress notes—these belong in the designated record set and are standard PHI/ePHI.

Practical controls

• Store psychotherapy notes separately with stronger access restrictions and auditing.
• Require specific patient authorization for most disclosures of psychotherapy notes.

Information Compiled for Legal Proceedings

Access exclusion, not a PHI exclusion

Legal proceedings health information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action remains PHI/ePHI. HIPAA allows an exclusion from the individual’s right of access, but the data still requires full privacy and security safeguards.

Practical controls

• Tag and segregate litigation-prepared materials to reflect the access exclusion.
• Coordinate with counsel on legal holds, retention, and minimum necessary disclosures.
• Apply breach risk assessment and notification duties as you would for other PHI/ePHI.

Data Maintained by Non-covered Entities

When HIPAA simply does not apply

Non-covered entity data—such as information held solely by life insurers, many employers in their employer role, independent wellness programs, or consumer tech companies not acting for a covered entity—is not ePHI. HIPAA obligations attach to covered entities and their business associates, not to everyone handling health-related data.

When non-covered entities become regulated

• If a non-covered company performs functions on behalf of a covered entity and receives PHI, it becomes a business associate and must treat that information as PHI/ePHI.
• Once combined with a covered entity’s designated record set or systems, previously unregulated data may become PHI.

Practical controls

• Perform vendor scoping to determine covered entity, business associate, or non-covered status.
• Use BAAs, role-based access, and data-minimization when functions involve PHI.

In summary, data is not considered ePHI when it is properly de-identified, maintained as covered entity employment records, governed by FERPA as educational records, or kept by non-covered entities and apps outside a covered entity’s control. Psychotherapy notes and information prepared for legal proceedings remain PHI but carry narrow access exclusions. Always assess who holds the data, for what purpose, and whether an individual can be identified.

FAQs

What types of data are excluded from the ePHI definition?

Data that is outside HIPAA’s scope includes properly de-identified protected health information, covered entity employment records held in the employer role, educational records governed by FERPA, and health information maintained solely by non-covered entities or direct-to-consumer apps acting independently. Limited data sets and weakly masked data are still PHI and not excluded.

How are personal health records differentiated from ePHI?

Personal Health Records are not ePHI when a consumer-facing service maintains them independently of any covered entity or business associate. If a PHR is offered by or on behalf of a provider, health plan, or their vendor—and data flows into clinical or plan operations—it becomes PHI/ePHI and must meet HIPAA requirements.

Why are psychotherapy notes not considered ePHI?

They are considered PHI—and ePHI if electronic. The common misconception comes from the “psychotherapy notes exclusion,” which limits the right of access and requires specific authorization for most disclosures. It does not remove psychotherapy notes from HIPAA’s PHI definition.

What role do employment records play in ePHI exclusions?

Employment records that a covered entity keeps in its capacity as an employer—such as FMLA forms, drug tests for hiring, or ADA documentation—are not ePHI. However, the same information stored in a clinical system for treatment, payment, or operations is PHI/ePHI and must be protected accordingly.