ePHI stands for electronic protected health information. It refers to any health information that can identify a specific person and is stored or sent using electronic media, such as computers, email, cloud storage, or portable drives. The term comes from HIPAA, the federal law that sets privacy and security standards for healthcare, and it sits at the center of how hospitals, clinics, insurers, and their partners are required to handle patient data.
How ePHI Differs From PHI
Protected health information (PHI) is the broader category. It covers any individually identifiable health information held by a healthcare organization or its business associates, regardless of format. That includes paper charts, verbal conversations, faxes, and electronic records alike. ePHI is the subset of PHI that exists in electronic form: stored on a server, saved to a hard drive, transmitted through a patient portal, or sent in an email.
The distinction matters because different HIPAA rules apply to each. The Privacy Rule governs all PHI in every format. The Security Rule applies specifically to ePHI and lays out detailed technical, physical, and administrative protections that organizations must put in place for electronic data. A handwritten note in a patient’s paper chart is PHI, but it only becomes ePHI once someone scans it and uploads it to a digital system.
What Makes Health Data “Identifiable”
Health information only qualifies as ePHI when it can be linked to a specific person. HIPAA defines 18 categories of identifiers that make this connection possible. If any of the following are attached to health data stored or transmitted electronically, that data is ePHI:
- Names
- Geographic data smaller than a state (street address, city, ZIP code)
- Dates directly related to the individual (birth date, admission date, discharge date, date of death), plus all ages over 89
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers, including license plate numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographs or comparable images
- Any other unique identifying number or code
Remove all 18 identifiers from a dataset and the remaining health information is considered “de-identified.” De-identified data is no longer ePHI and falls outside HIPAA’s requirements. This is how researchers often work with large health datasets without triggering privacy obligations.
Common Examples of ePHI
In practice, ePHI shows up everywhere in modern healthcare. Your electronic health record (EHR) is the most obvious example: it contains your diagnoses, lab results, medications, and insurance details alongside your name, date of birth, and contact information. But ePHI also includes billing records stored in a practice management system, digital X-rays or MRI scans tagged with your name, and even a voicemail left by a doctor’s office that mentions your appointment details if it’s stored digitally.
Emails between a provider and a patient discussing treatment are ePHI. So is a spreadsheet of patient names and insurance IDs sitting on a laptop, or a backup drive containing old records stored in a closet. Cloud-based systems, USB drives, tablets used during rounds, and archived databases all count as electronic media. If identifiable health data lives on it or passes through it, it’s ePHI.
What ePHI Does Not Include
Not every piece of electronic health data falls under HIPAA. Employment records that a covered entity maintains in its role as an employer are excluded, even if they contain health-related information like drug test results. Education records protected by the Family Educational Rights and Privacy Act (FERPA) are also carved out, which is why a university health clinic’s records for enrolled students may follow different rules.
Health data you generate on your own using a consumer fitness tracker or wellness app typically is not ePHI either, as long as the app maker isn’t working on behalf of a healthcare provider or insurer. The key factor is who holds the data. Information only becomes ePHI when it’s in the hands of a “covered entity” (a healthcare provider, health plan, or healthcare clearinghouse) or a “business associate” acting on their behalf.
How ePHI Must Be Protected
The HIPAA Security Rule requires three categories of safeguards for ePHI. Administrative safeguards are policies and procedures: things like workforce training, risk assessments, and designating a security officer. Physical safeguards control who can physically access the hardware and facilities where ePHI is stored, covering everything from locked server rooms to policies on workstation use. Technical safeguards are the digital protections themselves, such as access controls, audit logs, and encryption.
Organizations must also plan for emergencies. Contingency plans, data backups, and disaster recovery procedures are all part of the Security Rule’s requirements. The goal is to ensure ePHI remains confidential, intact, and available to authorized users at all times.
Proposed Changes to ePHI Security
In December 2024, the Department of Health and Human Services published a proposed rule to significantly strengthen ePHI protections. The proposal would require encryption of ePHI both when it’s stored and when it’s being transmitted, with only limited exceptions. Multi-factor authentication, the practice of verifying identity through two or more methods before granting access, would also become mandatory for most situations.
The proposal goes further on monitoring. Organizations would need to maintain a technology asset inventory and a network map showing how ePHI moves through their systems, updated at least every 12 months. Vulnerability scanning would be required at least every six months, and penetration testing (simulated cyberattacks to find weaknesses) at least once a year. These changes reflect the growing volume and sophistication of cyberattacks targeting healthcare systems, which now store virtually all patient data in electronic form.
Why ePHI Matters to Patients
Understanding ePHI helps you make sense of the privacy notices and consent forms you encounter at every doctor’s visit. When a provider asks you to sign a form about how your information will be used, they’re talking about ePHI. When a hospital notifies you of a data breach, the compromised data is ePHI. And when a health system requires you to log in through a secure portal rather than receiving results by regular email, that’s a technical safeguard in action.
The Breach Notification Rule adds another layer. If your ePHI is accessed or disclosed in a way HIPAA doesn’t allow, the organization that held it is required to notify you individually. In cases affecting 500 or more people, they must also notify HHS and, in some situations, the media. These requirements exist specifically because electronic data can be copied and distributed at a scale that paper records never could.