The HIPAA Security Rule addresses one specific type of health information: electronic protected health information, commonly called ePHI. This is individually identifiable health information that is created, received, stored, or transmitted in electronic form. Paper records and verbal communications fall outside the Security Rule’s scope entirely, even if they contain the exact same data.
What Counts as Electronic Protected Health Information
For electronic health data to qualify as ePHI, two conditions must be met. First, the information must be individually identifiable, meaning it can be linked to a specific person. Second, it must relate to that person’s past, present, or future health condition, the health care they received, or payment for that care. A lab result sitting in a database is just data. That same lab result tied to a patient’s name, date of birth, or medical record number becomes ePHI.
The “electronic” part covers a wide range of formats: data in electronic health record systems, billing files sent between a hospital and an insurer, email messages containing patient details, information stored on portable drives or cloud servers, and data transmitted across networks. If it’s digital and it identifies a patient in connection with their health, it falls under the Security Rule.
The 18 Identifiers That Make Health Data Protected
HIPAA specifies 18 types of identifiers that, when linked to health information, make that information individually identifiable. These are the data points that connect a health record to a real person:
- Names
- Geographic data smaller than a state (street address, city, zip code)
- Dates directly tied to an individual (birth date, admission date, discharge date, date of death), plus all ages over 89
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and serial numbers, including license plates
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers such as fingerprints and voiceprints
- Full-face photographs or comparable images
- Any other unique identifying number, characteristic, or code
If even one of these identifiers is attached to health-related data in an electronic system, that data is ePHI and the Security Rule applies.
How the Security Rule Differs From the Privacy Rule
The Privacy Rule and the Security Rule protect different slices of the same information. The Privacy Rule covers all protected health information regardless of format: paper charts, verbal conversations between providers, faxes, and electronic records alike. The Security Rule is narrower. It applies only to the electronic portion of that information.
Think of it this way: a doctor’s handwritten notes in a paper chart are governed by the Privacy Rule but not the Security Rule. The moment those notes are entered into an electronic health record system, the Security Rule kicks in. Both rules work together, but the Security Rule exists specifically because electronic data faces threats (hacking, unauthorized access, data loss) that paper records do not.
Who Must Protect This Information
The Security Rule applies to covered entities and their business associates. Covered entities fall into three categories: health care providers who transmit information electronically (doctors, clinics, pharmacies, nursing homes, dentists, psychologists), health plans (insurance companies, HMOs, employer-sponsored plans, Medicare, Medicaid), and health care clearinghouses that process health data into standardized formats.
Business associates are companies or individuals that handle ePHI on behalf of a covered entity. This includes billing services, cloud storage providers, IT contractors, and similar third parties. A written agreement must spell out their obligations to protect that data. If an organization doesn’t fall into any of these categories, the Security Rule doesn’t apply to it.
Mobile Apps and Online Tracking
The digital landscape has expanded what counts as ePHI in ways that weren’t obvious when HIPAA was first written. When a covered entity offers a mobile app, say a hospital’s diabetes management tool where patients log glucose levels and insulin doses, the data collected through that app is generally ePHI. That includes not just the health data a patient types in, but also device-level information like IP addresses, geolocation, and device IDs, because those details can identify the individual using the app.
Online tracking technologies on a covered entity’s website can also create ePHI. If a hospital’s website uses analytics tools that capture a visitor’s IP address along with the fact that they visited a page about a specific health condition, that combination can meet the definition of individually identifiable health information. The key factor is whether the information connects an identifiable person to their health, health care, or payment for care.
One important boundary: apps that are not developed or offered by a covered entity or its business associate fall outside HIPAA entirely. If you download a generic fitness tracker from the app store and enter your health data, HIPAA does not protect that information, regardless of how sensitive it is.
When Health Information Is No Longer Protected
Health data that has been properly de-identified falls outside the Security Rule because it no longer qualifies as protected health information. HIPAA provides two paths to de-identification. The Safe Harbor method requires removing all 18 identifiers listed above, and the organization must have no actual knowledge that the remaining data could be used to re-identify anyone. The Expert Determination method involves a qualified statistical expert certifying that the risk of identifying any individual from the data is very small.
Once health information is de-identified through either method, it is no longer ePHI. Organizations can use, share, and store it without triggering the Security Rule’s requirements. This is how large datasets get used for research and public health analysis without violating patient protections.