If you work in healthcare, or work with healthcare groups, you have heard the term "ePHI" hundreds of times. But when I ask clients to define it clearly, most of them pause. That pause is where compliance gaps start.
This article is the full explainer. We will cover what electronic Protected Health Information is, how it differs from PHI, where you are most likely to find it, and what the HIPAA Security Rule says you must do about it. No fluff, no legal jargon you need a decoder ring for - just hands-on guidance from someone who has helped groups get this right for years.
What ePHI Means, Who Must Protect It, and How
What Does ePHI Stand For?
ePHI stands for electronic Protected Health Information. It is a subset of Protected Health Information (PHI) that is created, received, stored, or sent in electronic form.
The split matters because ePHI triggers its own set of rules. The HIPAA Privacy Rule covers PHI in all formats - paper, oral, electronic. But the HIPAA Security Rule (45 CFR Part 164, Subparts A and C) applies only to ePHI. If data is protected health information and it exists in electronic form at any point in its life cycle, the Security Rule kicks in.
Put plainly: all ePHI is PHI, but not all PHI is ePHI.
The Formal Definition of ePHI Under HIPAA
Under 45 CFR 160.103, Protected Health Information is health data tied to a person that is created or received by a covered entity or business associate and relates to:
- The past, present, or future physical or mental health condition of an individual
- The provision of health care to an individual
- The past, present, or future payment for the provision of health care to an individual
That data becomes ePHI when it is created, received, kept, or sent using electronic media. The term "electronic media" is also defined at 45 CFR 160.103 and includes:
- Electronic storage media, hard drives, magnetic tape, removable storage devices, optical discs, and digital memory (such as RAM or flash drives)
- Transmission media, the internet, extranet, leased lines, dial-up lines, private networks, and the physical movement of electronic storage media from one location to another
The key point: ePHI is not limited to data in your EHR. It includes data moving across a network, data at rest on a backup drive in a locked cabinet, and data on a laptop that left the office in someone's bag last Friday.
ePHI vs. PHI: Understanding the Difference
The gap between PHI and ePHI is the medium, not the content. The same patient record can be PHI in one case and ePHI in another.
| Scenario | Classification |
|---|---|
| A printed lab result in a patient's paper chart | PHI (not ePHI) |
| That same lab result stored in the EHR system | ePHI |
| A physician verbally discussing a diagnosis with a nurse | PHI (not ePHI) |
| A voicemail recording of that same discussion on a digital system | ePHI |
| A faxed referral sent via a traditional analog fax machine | PHI (not ePHI) |
| A faxed referral sent via an electronic fax (eFax) service | ePHI |
| A handwritten prescription | PHI (not ePHI) |
| An e-prescription transmitted through a pharmacy network | ePHI |
Why does this matter? The safeguards are different. Paper PHI falls under the Privacy Rule's admin rules. ePHI falls under the Privacy Rule and the Security Rule, which adds 54 specs across administrative, physical, and technical safeguard types.
For a deeper look, see our full guide on Protected Health Information (PHI).
Common Examples of ePHI
One of the most common mistakes I see during risk assessments is that groups greatly undercount where ePHI exists. Here are the areas where ePHI most often lives:
Clinical Systems
- Electronic Health Records (EHR/EMR systems)
- Laboratory information systems (LIS)
- Radiology information systems (RIS) and PACS imaging archives
- Pharmacy dispensing systems
- Clinical decision support tools
- Patient portals and personal health record platforms
- Telehealth platforms and recorded video sessions
Administrative and Financial Systems
- Practice management software
- Revenue cycle management and medical billing platforms
- Claims processing and clearinghouse transmissions
- Insurance eligibility verification systems
- Accounts receivable databases containing patient payment records
Communication Channels
- Email messages containing patient information
- Secure messaging platforms (and sometimes insecure ones)
- Text messages with patient data, including on personal devices
- Voicemail systems that store messages digitally
- Fax server logs and eFax transmissions
Storage and Infrastructure
- Database servers (on-premises and cloud-hosted)
- Backup tapes, drives, and cloud backup repositories
- File servers and network-attached storage (NAS)
- Workstation hard drives and solid-state drives
- Laptop computers, tablets, and smartphones
- USB flash drives, external hard drives, and portable media
- Virtual machine images and container storage volumes
- Data warehouse and analytics platforms
Often Overlooked ePHI Locations
- Photocopier and printer hard drives that cache scanned documents
- Dictation and transcription system recordings
- Medical device logs (infusion pumps, ventilators, monitors)
- Building access control systems linked to patient identity
- Security camera systems in clinical areas where patient identifiers are visible
- Audit logs that contain patient identifiers alongside access records
- Temporary files, caches, and recycle bins on workstations
If you cannot track where ePHI exists in your setting, you cannot protect it. That is not just my view - it is the core of the risk analysis rule at 45 CFR 164.308(a)(1)(ii)(A).
Who Must Protect ePHI?
The HIPAA Security Rule applies to two types of groups:
Covered Entities
Covered Entities (CEs) are the groups directly bound by HIPAA. They include:
- Health care providers who transmit any health information electronically in connection with a HIPAA-covered transaction (claims, eligibility inquiries, referral authorizations, etc.)
- Health plans, health insurance companies, HMOs, employer-sponsored group health plans, Medicare, Medicaid, and similar organizations
- Health care clearinghouses, entities that process health information received from another entity into a standard format, or vice versa
Business Associates
Business Associates (BAs) are people or groups that do work for, or provide services to, a Covered Entity that involves access to ePHI. Common examples include:
- Cloud hosting and data storage providers
- IT managed service providers
- Medical billing companies
- Claims processing firms
- EHR vendors
- Shredding and document destruction companies
- Accountants and auditors with ePHI access
- Attorneys providing services that require ePHI access
- Health information exchanges (HIEs)
Since the HITECH Act and the 2013 Omnibus Rule, Business Associates are directly liable for following the Security Rule. This is not optional, and a Business Associate Agreement alone does not fix it. BAs must on their own put in place the administrative, physical, and technical safeguards the Security Rule demands.
HIPAA Security Rule Requirements for ePHI
The Security Rule (45 CFR Part 164, Subpart C) sets the framework for guarding ePHI. It is split into three safeguard types, plus organizational and records rules. Here is what each type demands.
Administrative Safeguards (45 CFR 164.308)
Administrative safeguards are the policies, procedures, and management steps that shape how a group protects ePHI. They form the largest type of Security Rule rules and include:
- Risk Analysis and Risk Management, You must conduct a thorough and accurate assessment of the potential risks and vulnerabilities to ePHI, then implement security measures to reduce those risks to a reasonable and appropriate level ( 164.308(a)(1)(ii)(A)-(B))
- Sanction Policy, Workforce members who violate security policies must face appropriate sanctions ( 164.308(a)(1)(ii)(C))
- Information System Activity Review, Regular review of audit logs, access reports, and security incident tracking ( 164.308(a)(1)(ii)(D))
- Workforce Security, Procedures to ensure only authorized workforce members can access ePHI ( 164.308(a)(3))
- Security Awareness and Training, Ongoing training for all workforce members, including security reminders, malware protection procedures, login monitoring, and password management ( 164.308(a)(5))
- Security Incident Procedures, Policies for identifying, responding to, and reporting security incidents ( 164.308(a)(6))
- Contingency Planning, Data backup plans, disaster recovery plans, and emergency mode operation plans ( 164.308(a)(7))
- Business Associate Contracts, Written agreements that require BAs to appropriately safeguard ePHI ( 164.308(b))
Our HIPAA Security Rule guide walks through each of these rules in detail.
Physical Safeguards (45 CFR 164.310)
Physical safeguards protect the real-world setup - the buildings, rooms, gear, and media - where ePHI is accessed, stored, or sent:
- Facility Access Controls, Policies to limit physical access to electronic information systems and the facilities where they are housed ( 164.310(a))
- Workstation Use, Policies specifying the proper functions to be performed at workstations, the manner in which they are to be performed, and the physical attributes of the surroundings ( 164.310(b))
- Workstation Security, Physical safeguards that restrict access to authorized users at workstations that can access ePHI ( 164.310(c))
- Device and Media Controls, Policies governing the receipt, removal, movement, disposal, and reuse of electronic media containing ePHI ( 164.310(d))
Technical Safeguards (45 CFR 164.312)
Technical safeguards are the tech tools and related policies that guard ePHI and control access to it:
- Access Controls, Technical measures to allow only authorized persons to access ePHI, including unique user identification, emergency access procedures, automatic logoff, and encryption/decryption ( 164.312(a))
- Audit Controls, Hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI ( 164.312(b))
- Integrity Controls, Policies and procedures to protect ePHI from improper alteration or destruction, including electronic mechanisms to corroborate that ePHI has not been altered ( 164.312(c))
- Person or Entity Authentication, Procedures to verify that a person or entity seeking access to ePHI is who they claim to be ( 164.312(d))
- Transmission Security, Technical security measures to guard against unauthorized access to ePHI being transmitted over electronic communications networks, including integrity controls and encryption ( 164.312(e))
For a deep dive into access controls, read our guide on ePHI Access Control Best Practices.
Encryption and ePHI
Encryption needs special focus because it ties into both compliance and breach notice rules.
Under the Security Rule, encryption is an addressable spec, not a required one. That label confuses people. "Addressable" does not mean "optional." It means you must judge whether encryption fits your setting. If it does, you must use it. If you decide it does not, you must write down why and use an equal alternative. In practice, encryption is nearly always the right call. The cases where a valid option exists are few.
Encryption also plays a direct role in breach notice. Under 45 CFR 164.402, a breach is the access, use, or disclosure of unsecured PHI. The key word is unsecured. HHS defines "unsecured PHI" as PHI that has not been made unusable, unreadable, or scrambled for outside parties. Encryption that meets NIST standards is one of the two known methods for securing PHI (the other is destruction).
What this means in practice: if ePHI is properly encrypted and the key has not been exposed, an unauthorized access event is not a reportable breach. This is the single strongest reason to encrypt ePHI at rest and in transit.
For current encryption standards, see our HIPAA Encryption Requirements article.
ePHI and the Breach Notification Rule
When unsecured ePHI is breached, the Breach Notification Rule (45 CFR 164.400-164.414) creates specific duties based on your role.
Covered Entity Obligations
Covered Entities must:
- Notify affected individuals without unreasonable delay, and no later than 60 calendar days after discovery of the breach ( 164.404)
- Notify HHS, for breaches affecting 500 or more individuals, notification must occur within 60 days; for breaches affecting fewer than 500 individuals, notification may be submitted annually ( 164.408)
- Notify prominent media outlets when a breach affects 500 or more residents of a state or jurisdiction ( 164.406)
Business Associate Obligations
Business Associates must notify the Covered Entity of a breach of unsecured PHI without undue delay, and no later than 60 calendar days after finding it ( 164.410). The BA's job is to tell the CE. The CE then handles individual notice, HHS reporting, and media notice as needed. The Business Associate does not tell affected people or HHS on its own. The BA's duty under the Breach Notification Rule is limited to telling the Covered Entity.
This is a key point that often causes mix-ups. During incident response, both parties must know their roles. The Business Associate Agreement must clearly spell out the notice timeline and required details.
De-Identification: When ePHI Stops Being ePHI
Data that has been properly stripped of identifiers under 45 CFR 164.514 is no longer PHI - and so no longer ePHI - even if it stays in electronic form. Once stripped, the data falls outside the scope of the HIPAA Privacy and Security Rules entirely.
HIPAA allows two methods:
- Expert Determination ( 164.514(b)(1)), A qualified statistical or scientific expert finds that the risk of naming a person from the data is very small.
- Safe Harbor ( 164.514(b)(2)), Eighteen specific types of identifiers are removed, and the covered entity has no actual knowledge that the rest could name an individual.
De-identification is useful for analytics, research, and data sharing. But it must be done right. Sloppy or partial de-identification leaves you fully bound by HIPAA. We cover this in our HIPAA De-Identification Requirements guide.
Practical Steps to Protect ePHI in Your Organization
Compliance is not just about knowing the rules. It is about putting them to work. Here are the steps I walk clients through during HIPAA consulting projects.
1. Conduct a Comprehensive ePHI Inventory
Before you can protect ePHI, you need to know where it lives. Map every system, app, device, and medium that creates, receives, stores, or sends ePHI. Include cloud services, mobile devices, medical devices, and third-party links. This list feeds right into your risk analysis.
2. Perform a Risk Analysis
The risk analysis at 45 CFR 164.308(a)(1)(ii)(A) is the single most important Security Rule rule. It is also the one cited most often in HHS enforcement actions. A proper risk assessment finds threats and weak spots across your entire setting and rates the chance and impact of each risk.
3. Implement Risk-Based Safeguards
Based on your risk findings, put in place administrative, physical, and technical safeguards that bring risks down to a fair and proper level. Hit high-risk areas first. Write down every choice, including choices not to use a certain measure and the reason behind it.
4. Encrypt ePHI at Rest and in Transit
Use encryption that meets NIST standards for all ePHI - on servers, workstations, laptops, mobile devices, portable media, backups, and all channels. As noted above, this not only meets the Security Rule but also gives you safe harbor from breach notice rules.
5. Enforce Access Controls
Apply the minimum necessary standard. Grant ePHI access only to staff who need it for their jobs. Enforce that access through tech controls: role-based access, unique user IDs, auto session cutoff, and multi-factor login. See our ePHI Access Control Best Practices for detailed steps.
6. Train Your Workforce
Security training must go to all staff - not just clinicians and not just IT. Training should cover spotting phishing, handling ePHI the right way, password hygiene, reporting incidents, and the results of breaking the rules. Training must be ongoing, not a one-time event.
7. Establish Incident Response Procedures
Have a written, tested response plan before you need one. Know who does what, how breaches are found and reported inside your group, what the notice timelines are, and how evidence is saved. Our incident management services can help you build and test these steps.
8. Manage Business Associate Relationships
Keep a current list of all Business Associates. Make sure every BA tie is covered by a valid Business Associate Agreement. Check from time to time whether your BAs are meeting their Security Rule duties. You cannot hand off your compliance duties by contract.
9. Document Everything
The Security Rule says policies, procedures, and records must be kept for six years from the date created or the date the policy was last in effect, whichever is later (45 CFR 164.316(b)(2)(i)). If you did not write it down, you cannot prove you did it. During an HHS probe or audit, your records are your main defense.
Penalties for Failing to Protect ePHI
Breaking ePHI protection rules carries steep results:
| Penalty Tier | Description | Penalty Per Violation | Annual Cap |
|---|---|---|---|
| Tier 1 | Did not know and could not have reasonably known | $141 - $71,162 | $2,134,831 |
| Tier 2 | Reasonable cause, not willful neglect | $1,424 - $71,162 | $2,134,831 |
| Tier 3 | Willful neglect, corrected within 30 days | $14,232 - $71,162 | $2,134,831 |
| Tier 4 | Willful neglect, not corrected within 30 days | $71,162 - $2,134,831 | $2,134,831 |
Penalty amounts are adjusted each year for inflation. Figures above reflect 2024 adjusted amounts per HHS.
Beyond fines, groups face harm to their name, loss of patient trust, forced corrective action plans, and possible criminal charges for knowing violations. State attorneys general may also bring cases under HITECH, adding more legal risk.
Frequently Asked Questions About ePHI
Is a patient's name alone considered ePHI?
A patient's name by itself is not ePHI. It becomes ePHI when it is paired with health data - a diagnosis, treatment record, payment info, or other health-related data - and is in electronic form. A name on a waiting room sign-in sheet, with no linked health data in the system, is not ePHI. But a patient's name stored next to their visit record in a scheduling system is ePHI.
Are emails containing patient information considered ePHI?
Yes. Any email with health data tied to a person is ePHI. This covers emails between providers about a patient's treatment, emails to patients with test results, and even subject lines that hold patient names or medical details. Email systems that handle ePHI must follow the Security Rule's transit security rules, including encryption.
Is data stored in the cloud considered ePHI?
If cloud data meets the definition of Protected Health Information and it is in electronic form - which cloud data always is - then yes, it is ePHI. The cloud provider is a Business Associate and must sign a BAA. The Covered Entity remains on the hook for making sure proper safeguards are in place no matter where the data sits.
Does ePHI include information on paper that was scanned?
Once a paper document is scanned and saved in digital form, the digital version is ePHI (if it holds health data tied to a person). The original paper copy stays PHI governed by the Privacy Rule. Both must be guarded under their own rules.
What happens if ePHI is texted on a personal phone?
Texts with patient health data on personal devices are ePHI. If the texts are not encrypted and the device has no proper safeguards, the group is likely out of compliance. This is one of the most common and most risky gaps I run into. Groups need clear BYOD policies and secure messaging tools to fix this.
How long must ePHI be retained?
HIPAA itself does not set a specific hold period for ePHI or medical records - that is set by state law, which varies. But the Security Rule says that records of policies, procedures, and security actions must be kept for six years (45 CFR 164.316(b)(2)(i)). As long as ePHI is kept in any form, the Security Rule applies. Getting rid of ePHI must also follow proper steps under the device and media controls standard at 45 CFR 164.310(d).
Conclusion
ePHI is not a hard concept. But the duties that flow from it are large. Every electronic system that touches health data tied to a person - from your EHR to your email server to the smartphone in your clinician's pocket - falls under the HIPAA Security Rule. Knowing what ePHI is, where it exists in your setting, and what the Security Rule demands is the starting point for real compliance.
If you are not sure your group is guarding ePHI well, or if you need help with a risk analysis, building out your safeguard program, or handling an incident, One Guy Consulting can help. We provide practical, no-nonsense HIPAA compliance consulting for covered entities and business associates. Schedule a risk assessment or reach out directly to start the talk.
Sources
- U.S. Department of Health and Human Services. "Summary of the HIPAA Security Rule." HHS Summary of the HIPAA Security Rule
- 45 CFR Part 160, General Administrative Requirements. 45 CFR Part 160 - eCFR
- 45 CFR Part 164, Security and Privacy. 45 CFR Part 164 - eCFR
- HHS Breach Notification Rule. 45 CFR 164.400-164.414. HHS Breach Notification Rule Guidance
- HHS Guidance on HIPAA & Cloud Computing. HHS HIPAA and Cloud Computing Guidance
- NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. NIST SP 800-111 Storage Encryption Guide
Disclaimer: This article is provided for informational and educational purposes only. It does not constitute legal advice. HIPAA compliance requirements are complex and fact-specific. Consult with a qualified attorney or compliance professional for guidance tailored to your organization's specific circumstances. One Guy Consulting provides compliance consulting services but does not provide legal representation.
Key stat: The scope of ePHI keeps growing as healthcare goes digital. OCR has confirmed that ePHI includes data in EHR systems, email, cloud storage, mobile devices, wearable health tech, IoT medical devices, and even voice recordings. Any electronic medium that creates, receives, keeps, or sends health data tied to a person falls under the Security Rule.