Definition

electronic protected health information (ePHI)

Rahul Awati

By

Rahul Awati

What is electronic protected health information (ePHI)?

Electronic protected health information (ePHI) is protected health information that is produced, saved, transferred or received in an electronic form. In the United States, ePHI management and security is covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

In the United States, PHI in the context of HIPAA refers to healthcare information about a patient that can identify them. PHI can be stored in paper or electronic form. The electronic form is known as ePHI.

Many types of electronically stored medical information are considered ePHI. The U.S. Department of Health and Human Services defines ePHI identifiers as the following data:

Name.
Address.
Contact details, such as the following:
- Phone number.
- Fax number.
- Email address.
Social Security number.
Relevant dates directly related to an individual, including the following:
- Birthdate.
- Date of admission.
- Date of discharge.
- Date of death.
Medical record numbers.
Health insurance plan beneficiary number.
Account number.
Vehicle identifiers, e.g., license plate numbers.
Certificate or license number.
IP address.
Device attributes.
Digital identifiers, such as the following:
- Website URLs.
- Social media accounts.
Biometric identifiers, such as the following:
- Fingerprints.
- Voiceprints.
Full face photos.
Other uniquely identifying characteristics or numbers.

HIPAA compliance checklist — Complying with HIPAA is essential to securing electronic protected health information.

Examples of ePHI records

All the following records contain ePHI that can be used to identify a patient:

Laboratory reports and test results.
Electronically stored appointments, e.g., appointments stored in a scheduling app.
Electronically stored information about procedures performed by a healthcare provider.
Electronically stored patient notes.
E-prescriptions.
Emails and phone records, i.e., communication between the patient and a healthcare provider.
Bills.
Digital scans, including X-rays and magnetic resonance imaging scans.
Admissions and discharge records.

Why is ePHI collected?

Medical professionals and healthcare organizations, including doctors and hospitals, collect and store ePHI to identify patients and determine what kind of care they need. In doing so, they can design a safe and personalized care plan and deliver high-quality, cost-effective care in the most efficient manner. For instance, a referring provider may wish to share digital imaging results with a subspecialist for an e-consult to obtain a more precise diagnosis.

Health insurers and healthcare clearinghouses also collect ePHI in connection with billing, insurance coverage verification, claim assessment, reimbursements and similar transactions.

While conducting research with human subjects, such as clinical trials, researchers may also collect ePHI from study participants to better understand and analyze their results. For example, researchers who are investigating chronic conditions, like asthma or diabetes, might want to look at whether people who live in certain geographic areas are more likely to have these diseases. If this information is entered into the participant's electronic medical record or is used to deliver care through the study, such as evaluating an intervention, then it becomes ePHI.

In HIPAA documentation, any organization or corporation that directly handles ePHI is referred to as a covered entity (CE). A CE refers to healthcare providers, health plans and healthcare clearinghouses -- e.g., billing services, repricing companies, community health management information systems -- and it can be an organization or an individual.

A business associate (BA) is a third-party vendor or subcontractor that provides some service to a CE, such as data storage or software development. Both CEs and BAs can create and access PHI, as long as they have implemented the security safeguards mandated by the HIPAA Security Rule.

What is not considered ePHI?

Information that is not one of HIPAA's 18 identifiers or not used in connection with healthcare delivery is not considered to be ePHI. In addition, any information that is not collected or maintained by a CE or BA is not ePHI.

The following information is also not considered ePHI:

Information in an individual's school or employment records.
Health data that is stripped of any identifiers, also known as deidentified or anonymized data.
Information stored in electronic media, e.g., apps or wearable devices, that is only accessed or shared by the person to whom that data belongs,

Where is ePHI stored?

A healthcare organization can store and access ePHI in many types of IT infrastructure and end-user devices:

Computers.
External hard drives.
Digital storage systems.
Magnetic tapes.
Smartphones.
Other portable devices.

EPHI can also be stored in the cloud, as long as the organization has a BA agreement in place and applies the same HIPAA-compliant security requirements to the ePHI that it applies to on-premises ePHI.

EPHI and HIPAA

All CEs and BAs that fall under the purview of HIPAA are required to protect ePHI by complying with the HIPAA Security Rule and HIPAA Privacy Rule. Noncompliance with either rule can result in civil or criminal penalties against the noncompliant organization or individual.

EPHI and HIPAA Security Rule

All CEs, including hospitals, doctors' offices and health insurance providers, must abide by HIPAA Security Rule guidelines when handling ePHI. This includes ePHI data at rest, as well as ePHI data in transit.

CIA triad diagram — Covered entities are required to take reasonable steps to ensure the confidentiality, integrity and availability of all ePHI created, received, maintained or transmitted.

According to the HIPAA Security Rule, CEs must take reasonable steps to ensure the confidentiality, integrity and availability (CIA triad) of all ePHI they create, receive, maintain or transmit. This includes identifying and protecting against reasonably anticipated threats to the security or integrity of the information.

Because the healthcare marketplace is so diverse, the HIPAA Security Rule for ePHI is designed to be flexible and enable CEs to implement policies, procedures and technologies that are appropriate to the entity's size, capabilities and risk appetite. To help CEs plan appropriately, the rule specifies a series of administrative, physical and technical security procedures -- known as safeguards -- that CEs must implement to use to assure the CIA of ePHI.

Safeguards for ePHI security under HIPAA Security Rule

The HIPAA Security Rule specifies three categories of safeguards that CEs must implement to protect ePHI: administrative, physical and technical.

Administrative

Implement measures to prevent, detect, contain and mitigate security violations.
Identify and analyze potential risks to ePHI, and implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
Designate a security official to be responsible for developing and implementing the organization's security policies and procedures.
Implement policies and procedures to ensure appropriate access to ePHI.
Implement measures to supervise workforce members who work with or access ePHI.
Perform periodic assessments to determine how well the implemented security policies and procedures meet the requirements of the HIPAA Security Rule.

Physical

Limit physical access to facilities, while still ensuring that authorized access is allowed.
Implement policies and procedures that specify the proper use, transfer, removal and disposal of electronic media containing ePHI.

Technical

Implement technical policies and procedures that allow only authorized persons to access ePHI.
Implement hardware, software and/or procedural mechanisms to log and analyze activity in information systems that contain or use ePHI.
Implement policies and procedures to prevent the improper alteration or destruction of ePHI.
Implement technical security measures, such as encryption, to guard against unauthorized access to ePHI as it is being transmitted over an electronic network.

EPHI and HIPAA Privacy Rule

The HIPAA Privacy Rule requires organizations that conduct healthcare transactions electronically to take reasonable steps to limit the use and disclosure of PHI, including ePHI. Per this rule, they must implement appropriate measures to protect the privacy of PHI. The rule also sets several limits and conditions regarding the use and disclosure of PHI that may be made without an individual's authorization.

In addition, the rule clarifies the rights that individuals have over their own PHI, including the right to do the following:

Examine and obtain a copy of their health records.
Request correction of their health records.
Direct a CE to transmit an electronic copy of their PHI to a third party.

HIPAA requires CEs to implement appropriate safeguards to protect ePHI throughout its lifecycle. See how to properly dispose of ePHI under HIPAA.

This was last updated in March 2024

Continue Reading About electronic protected health information (ePHI)

How 4 EHR vendors are leveraging generative AI in clinical workflows

Understanding the nuances of the healthcare cybersecurity regulatory landscape

Communicating with a patient's family under the HIPAA Privacy Rule

What is the Health Breach Notification Rule, who does it apply to?

How BCBS MA combats DME, telemedicine fraud schemes

Dig Deeper on Heathcare policy and regulation

CIO

FTC bans noncompete agreements in split vote
Now that the FTC has issued its final rule banning noncompete clauses, it's likely to face a bevy of legal challenges.
Ally's generative AI strategy eyes multiple LLMs, AI agents
The digital bank plans to privately host multiple LLMs on its GenAI platform, explore autonomous agent technology and evaluate ...
States act on privacy laws as Congress considers new bill
The American Privacy Rights Act introduced this week aims to establish a national privacy standard that would preempt state ...

Cloud Computing

Explore CASB use cases before you decide to buy
CASB tools help secure cloud applications so only authorized users have access. Discover more about this rapidly evolving ...
10 cloud vulnerabilities that can cripple your environment
Enterprises can be devastated by security-related weaknesses or flaws in their cloud environments. Find out where you are most ...
Learn the basics of industry cloud platforms
Healthcare, finance and other specialized industries can ask a lot of cloud services. Find out more about industry cloud ...

Mobile Computing

Simplify mobile app development for the enterprise
Without the right resources, mobile app development can be challenging. Find out how to start the process and the best tools to ...
4 types of mobile security models and how they work
Learn about the different mobile security models that organizations can choose from and how vendors combine cloud-based threat ...
The ultimate guide to mobile device security in the workplace
Mobile devices provide connectivity for employees to access business data and communicate with colleagues, but these unique ...

Risk & Repeat: Change Healthcare's bad ransomware bet
This Risk & Repeat podcast discusses Change Healthcare's ransomware attack and the apparent further spread of sensitive data ...
Dymium scares ransomware attacks with honeypot specters
Dymium, a security startup that recently emerged from stealth, offers ransomware defense for data stores with a network of ...
Cisco zero-day flaws in ASA, FTD software under attack
Cisco revealed a nation-state threat campaign dubbed "ArcaneDoor" exploited two zero-day vulnerabilities in its Adaptive Security...

How to manage storage resiliency
Resilient storage has never been more important to an organization than it is now. Ensure storage systems can respond to issues ...
How to optimize AI investments through cloud modernization
Cloud-focused services will help with AI workloads. Users also plan to use on-premises storage for AI and should take the ...
Cyber-resilient storage a final defense against ransomware
Features to enhance storage cyber resiliency should be table stakes for buyers, experts say. But enhancements are needed to stave...

Close