What Is ePHI? Electronic Protected Health Information Explained

Practical guidance for healthcare teams and business associates

In February 2024, Montefiore Medical Center paid $4.75 million after a former employee stole the ePHI of 12,517 patients from electronic systems over a six-month period. OCR’s investigation found the health system had failed to analyze risks to ePHI stored across its electronic systems. The case illustrates a pattern regulators see constantly: organizations that treat ePHI as something that lives in one system rather than something that flows through dozens of them.

Where ePHI Actually Lives in Your Practice

Most practices think ePHI means whatever is inside their EHR. That assumption creates blind spots - and those blind spots are exactly where breaches happen. Understanding what qualifies as ePHI, where it actually resides, and what the Security Rule demands is the foundation of any real compliance program.

What Qualifies as ePHI?

Under 45 CFR 160.103, ePHI is any protected health information that is created, received, maintained, or transmitted in electronic form. That definition is deliberately broad. If a piece of data identifies a patient (or could reasonably be used to identify one) and relates to their health condition, treatment, or payment - and it exists electronically - it is ePHI.

ePHI does not include paper records or verbal communications. A handwritten chart note is PHI, but not ePHI. A hallway conversation between clinicians is PHI, but not ePHI. The moment that same information enters an electronic system - scanned, dictated into a recording, or typed into a portal message - it becomes ePHI and falls under the Security Rule.

Common examples include EHR data, emails containing patient information, digital X-rays, electronic billing records, voicemails, text messages, data on USB drives, cloud backups, and scheduling software databases.

The Places Practices Overlook

People are somewhat used to HIPAA by now - it has been around for a long time. But familiarity breeds complacency. Scheduling apps and website contact forms are excellent examples. A patient books an appointment through an online scheduler and enters their name, date of birth, and reason for the visit. That data is ePHI the moment the form is submitted. If the scheduling platform lacks proper safeguards, the practice has an exposure it may not even know about.

Email is another persistent problem. People send emails laden with PHI that are not encrypted, in a non-compliant fashion, countless times every day. An office manager forwards lab results using standard Gmail. A billing coordinator emails a claims spreadsheet to an accountant. Each instance creates ePHI in transit and at rest - in sent folders, inboxes, and server logs. For more on this, see the HIPAA rules for emailing PHI.

Mobile devices remain one of the biggest blind spots. A physician who checks patient messages on a personal phone has ePHI on that device. If the phone lacks encryption, a passcode, or remote wipe capability, one lost device becomes a reportable breach. The same applies to tablets, laptops, USB drives, and any portable media.

Cloud applications add another layer. Cloud-based fax services, hosted phone systems that store voicemails, and third-party analytics platforms all contain ePHI if they process patient data. Each requires a Business Associate Agreement and appropriate safeguards. Practices using AI tools should also understand what counts as PHI in AI prompts, since patient data entered into an AI system is ePHI.

How the Security Rule Protects ePHI

The HIPAA Security Rule (45 CFR Part 164 Subpart C) exists specifically to govern ePHI. While the Privacy Rule addresses who can access and disclose PHI in any form, the Security Rule focuses on the technical and operational controls required to protect health information in electronic systems.

The HIPAA Rule organizes safeguards into three main categories:

  • Administrative safeguards cover policies, procedures, and workforce training. This includes risk assessments, designating a security officer, and access management procedures. A thorough HIPAA risk assessment is the single most important administrative safeguard - and the one OCR checks first.

  • Physical safeguards address the tangible protections for hardware and facilities. Server rooms need restricted access. Workstations in patient-facing areas need privacy screens and automatic logoff. Devices must be tracked through their entire lifecycle, from deployment through disposal.

  • Technical safeguards deal with the technology controls that protect ePHI during storage and transmission. This includes access controls, audit logs, integrity controls, and transmission security. Encryption and multi-factor authentication are two of the most critical technical safeguards - and both are now expected by OCR as standard practice.

Securing ePHI in Practice

Compliance starts with knowing where ePHI exists. That means mapping every system, device, and application that creates, receives, maintains, or transmits patient data. Most practices are surprised by the length of that list.

Once the inventory is complete, each location needs appropriate safeguards. Encryption should protect ePHI both at rest and in transit. Access should follow the minimum necessary standard for each workforce member’s role. Audit logs should track who accessed what and when.

Workforce training matters as much as technology. Staff need to understand that forwarding a patient’s record by unencrypted email, saving a file to a personal device, or texting about a patient all create ePHI exposures. Policies only work when people follow them.

Every vendor that handles ePHI needs a Business Associate Agreement. That includes EHR vendors, cloud hosting providers, IT support companies, and any other entity that could access patient data in electronic form.

FAQs

Is a patient’s name alone considered ePHI? A name by itself is not ePHI. It becomes ePHI when combined with health information - such as a diagnosis, treatment record, or payment detail - and stored or transmitted electronically. A name in an appointment reminder that references a procedure is ePHI. A name on a generic mailing list with no health context is not.

Are paper records considered ePHI? No. Paper records are PHI, but the “e” in ePHI stands for electronic. Paper records fall under the Privacy Rule’s protections but not the Security Rule’s technical requirements. However, a paper record becomes ePHI the moment it is scanned, photographed, or otherwise converted into an electronic format.

Does ePHI include data stored in cloud applications? Yes. Any cloud-based system that stores, processes, or transmits identifiable patient data contains ePHI. This includes cloud EHRs, hosted email platforms, cloud fax services, online scheduling tools, and cloud backup solutions. Each requires a Business Associate Agreement and appropriate security controls.

What is the difference between PHI and ePHI? PHI is the broader category - it includes identifiable health information in any form, whether spoken, written on paper, or stored electronically. ePHI is the subset of PHI that exists in electronic form. The Privacy Rule governs all PHI. The Security Rule governs only ePHI, adding specific technical, physical, and administrative safeguard requirements.

Sources

  1. 45 CFR 160.103 - Definitions (ePHI, PHI, covered entity): 45 CFR 160.103 definitions
  2. HHS Security Rule Guidance: HHS Security Rule guidance
  3. Montefiore Medical Center Settlement (February 2024): Montefiore Medical Center settlement agreement
  4. NIST SP 800-66 Rev. 2 - Implementing the HIPAA Security Rule: NIST SP 800-66 Rev. 2 HIPAA Security Rule guidance

One Guy Consulting offers affordable HIPAA compliance packages for practices of all sizes. Learn more about One Guy Consulting