Which of the Following Is an Example of ePHI? Clear Examples and What Counts Under HIPAA

If you’ve wondered, “Which of the following is an example of ePHI?”, the short answer is: any individually identifiable health information in electronic form that a healthcare organization creates, receives, maintains, or transmits. Under HIPAA Compliance, that includes EHR entries, imaging files, e-prescriptions, billing records, portal messages, lab results, and device data—when they can be tied to a specific person.

Because Electronic Protected Health Information spans many systems, you should evaluate what you store, how you transmit it, and who can access it. Covered Entities and their Business Associates must apply Data Encryption, Access Controls, and Audit Trails to protect this information end to end.

Electronic Health Records Overview

Electronic Health Records (EHRs) are a primary source of Electronic Protected Health Information. When an EHR entry includes a name, medical record number, contact details, or other identifiers alongside health or payment data, it qualifies as ePHI and falls under HIPAA Compliance.

Typical EHR content includes demographics, problem lists, medications, allergies, immunizations, vitals, and care plans. You should assume all such elements are ePHI when they can identify a patient.

• Examples: a progress note linked to a patient chart, a medication list visible in a portal, allergy updates saved after a visit.
• Safeguards to apply: role-based Access Controls, Data Encryption in transit and at rest, and Audit Trails showing who viewed, edited, or exported records.

Digital Imaging as ePHI

Diagnostic images—X-rays, CTs, MRIs, ultrasounds—are ePHI when stored or shared with patient identifiers. DICOM files often embed names, medical record numbers, and accession IDs, so the image plus its metadata must be protected.

If you de-identify images thoroughly so no individual can be reasonably re-identified, they are no longer ePHI. Until then, treat all imaging artifacts and exports as regulated content.

• Examples: a DICOM series with a patient’s name, a PACS backup containing study metadata, an ultrasound JPEG labeled with a chart number.
• Safeguards: encrypted PACS storage, strict viewer permissions, and Audit Trails on downloads and secondary captures.

E-Prescriptions and Electronic Communication

E-prescriptions contain patient identifiers, drug details, and prescriber information; as such, they are ePHI from creation through pharmacy fulfillment. The same applies to secure portal messages, telehealth chat transcripts, and emailed results when they reference an identifiable patient.

Appointment or refill reminders can also be ePHI if they reveal a diagnosis, treatment type, or provider specialty tied to a person. Use minimum-necessary content and secure channels whenever possible.

• Examples: an eRx message to a pharmacy, a portal thread discussing dosage changes, a telehealth chat log attached to the chart, a voicemail transcript summarizing lab findings.
• Safeguards: transport encryption, user authentication with MFA, message retention policies, and Audit Trails on message access and forwarding.

Billing and Claims Data Management

Claims and billing files carry identifiers plus diagnostic and procedure codes, making them ePHI. Practice management systems, clearinghouses, and revenue cycle tools that handle this data are in scope for HIPAA Compliance.

Because Business Associates frequently process claims, you must establish agreements, limit sharing to the minimum necessary, and harden data flows end to end.

• Examples: X12 837 claim submissions, remittance (835) files listing patient names, CSV exports of accounts receivable with payer IDs and CPT/ICD-10 codes.
• Safeguards: encryption for file transfer and storage, least-privilege Access Controls, and comprehensive Audit Trails for uploads, edits, and exports.

Clinical Notes and Documentation

Provider notes, discharge summaries, care plans, and scanned intake forms are ePHI when linked to an identifiable person. Audio dictations and their transcripts also qualify once they reference a patient.

Keep documentation organized, restrict who can copy or print, and monitor edits and attestations to preserve integrity and accountability.

• Examples: SOAP notes, operative reports, scanned consent forms, scribe-entered encounter documentation, voice-to-text transcripts tied to a chart.
• Safeguards: template governance, edit/version histories, print/download controls, and Audit Trails recording authorship and timestamps.

Lab Results in Electronic Format

Laboratory systems produce ePHI when results are identifiable—whether displayed in a portal, sent via HL7/FHIR, or saved as PDFs. Result flags, reference ranges, and specimen IDs tied to a person all fall under HIPAA.

You should ensure secure delivery to providers and patients, control downloads, and log every view or share of results.

• Examples: a PDF of a CBC with the patient’s name, an HL7 ORU message routed to the EHR, a CSV export of test panels with MRNs.
• Safeguards: encrypted report storage, positive patient identification for release, and Audit Trails for result access and printing.

Medical Device Data Integration

When device telemetry is linked to a person, it becomes ePHI. That includes bedside monitors, infusion pumps, implantable devices, and remote patient monitoring or wearables integrated into the record.

Because devices and gateways often sit on clinical networks, you need hardening, patching, and continuous monitoring, plus governance for vendors acting as Business Associates.

• Examples: ECG waveforms saved to a chart, glucose sensor readings synced to a patient portal, home blood pressure data transmitted to a care team.
• Safeguards: network segmentation, encrypted transport to the EHR, strong Access Controls on viewers, and device/log Audit Trails.

Conclusion

In practice, the best answer to “Which of the following is an example of ePHI?” is: all electronic records that identify a person and relate to health, care delivery, or payment. Treat EHR entries, images, eRx, claims, notes, labs, and device data as ePHI, and secure them with Data Encryption, Access Controls, and Audit Trails to meet HIPAA Compliance.

FAQs.

What qualifies as electronic protected health information?

Electronic protected health information (ePHI) is any individually identifiable health or payment information in electronic form that a Covered Entity or its Business Associates create, receive, maintain, or transmit. If it can identify a person and relates to their health status, care, or billing—emails, images, files, messages, logs—it is ePHI. Properly de-identified data is not ePHI.

How does HIPAA regulate ePHI?

HIPAA’s Privacy Rule governs permissible uses and disclosures, while the Security Rule requires administrative, physical, and technical safeguards. Core expectations include risk analysis, minimum-necessary use, access management, Data Encryption (addressable but strongly recommended), workforce training, Business Associate Agreements, continuous monitoring, and breach notification when required.

What are common examples of ePHI?

Common ePHI includes EHR charts and portal data, DICOM imaging and PACS archives, e-prescriptions and secure messages, billing and claims files, clinical notes and scanned forms, electronic lab reports and HL7/FHIR results, and patient-linked device telemetry such as ECGs or glucose readings.

How do organizations safeguard ePHI?

Organizations implement layered controls: Data Encryption in transit and at rest, role-based Access Controls with MFA, endpoint and network protection, vetted Business Associates, strict change and patch management, resilient backups, data retention/disposal policies, user training, and detailed Audit Trails that record viewing, editing, exporting, and sharing.