Electronic Protected Health Information (ePHI) refers to any individually identifiable health information that is created, stored, transmitted, or received electronically. That being said, many organizations run into trouble with how to define exactly what PHI and ePHI are, and that's because it's not always so simple to discern.
With 20 years of cybersecurity assessments under our belt, we’ve seen plenty of organizations struggle in determining whether what they handle is PHI or ePHI, and unfortunately, it sometimes comes back to bite during their HIPAA compliance process.
That’s why, in this article, we'll delve into the intricacies of ePHI, including its definition, what qualifies as ePHI, and why safeguarding it is essential for healthcare providers and organizations. Understanding what ePHI is and its importance will help you adhere to HIPAA regulations, which will, in turn, help you protect sensitive health information and maintain trust with your patients.
What is Protected Health Information (PHI)?
The simplest way to start is with HIPAA’s formal definition of PHI located in 45 CFR 160.103:
“Protected health information means individually identifiable health information.”
By “individually identifiable health information” they mean information that is a subset of health information, including demographic information collected from an individual, and:
- Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
- Relates to:
- The past, present, or future physical or mental health or condition of an individual;
- The provision of health care to an individual; or
- The past, present, or future payment for the provision of health care to an individual;
- That identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual.
PHI Identifiers
We are clear that this includes anything regarding an individual’s health information along with anything that can identify said individual. With that said, the Department of Health and Human Services (HHS) lists the 18 HIPAA identifiers as:
- Patient Names
- Geographical elements (such as addresses)
- Dates relating to identity or health (such as birthdate or date of admission)
- Phone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate and/or license numbers
- Vehicle identifiers
- Device attributes or serial number
- Digital identifiers (such as social media or website URL)
- IP addresses
- Biometric elements (finger or retinal prints)
- Full face photographic images
- Other identifying numbers or codes
What is ePHI?
A good understanding of PHI makes defining ePHI considerably easier—ePHI is PHI that is transmitted electronically or stored electronically.
HIPAA Regulations for ePHI
Introductory paragraph about HIPAA regulations and ePHI.
H3: HIPAA Privacy Rule
The HIPAA Privacy Rule has established certain standards for the use and disclosure of Protected Health Information. To comply with this law, organizations must adopt the "minimum necessary rule" which requires them to take reasonable steps to limit the use and disclosure of PHI. Covered entities are required to access only the information that is necessary to accomplish their intended purpose. Additionally, the HIPAA Privacy Rule outlines patient rights regarding their PHI.
- A Notice of Privacy Practices (NPP) must be given to patients upon intake to help ensure they understand their rights. The NPP should be written in clear language that patients can easily understand. It describes patient rights in terms of the 18 HIPAA unique identifiers and explains what a CE may or may not do with PHI.
- Patients have the right to request access to their medical records by filling out an authorization form.
- Patients have the right to request an amendment to their PHI if they believe there has been an error on their record. However, it is up to the discretion of the CE to determine if the record is accurate.
- Patients can request special privacy protection for their PHI, but CEs are not required to agree to the request.
- In most cases, parents or legal guardians can access a minor's medical records. However, there are some situations where they cannot. For example, if the minor consents to care where parental consent is not required, if a court decides that a minor must receive care, or if a parent agrees that the minor and CE have a confidential relationship.
H3: HIPAA Security Rule
The HIPAA Security Rule requires that protected health information (PHI) is secured through administrative, physical, and technical security measures and safeguards. This rule mandates that organizations have standards for the confidentiality, integrity, and availability of PHI.
- To ensure confidentiality, PHI cannot be disclosed without prior patient authorization.
- The integrity of PHI must be maintained by a security management process that ensures that the data is only accessed by those who need access to perform their job functions.
- Finally, organizations and patients must be able to easily access PHI to ensure its availability.
By following these standards, organizations can ensure that they are in compliance with the HIPAA Security Rule and are properly safeguarding PHI.
The Difficulty in Classifying PHI/ePHI
Classifying anything, electronic or not, that clearly serves to identify a person is fairly straightforward—the tricky part of categorizing PHI is discerning the “reasonable basis to believe the information can be used to identify the individual.”
That’s because depending on the context and the way information is being used, things like e-mail or mailing addresses may or may not be considered PHI. Consider these two scenarios:
- An organization sends an e-mail or letter to all patients that have a certain medical condition—those e-mail addresses and mailing addresses would be considered PHI, as they could be used in that context to reasonably identify a person in a way that is tied to a past, present, or future physical or mental health condition.
- A business associate receives e-mail addresses or mailing addresses from a covered entity, such as, but does not also receive data tying that information to any past, present, or future physical or mental health condition of an individual, that data would not be considered PHI. It would not be reasonable to believe that an e-mail address or mailing address, with no other connection to health information, could be used to identify an individual’s past, present, or future conditions.
Obviously, not every example will be this straightforward. That’s why the best advice we can give in navigating this murkiness is to involve your legal team and have them review the specific ways you’re receiving and using information. That way, you can be more sure of what data would be considered PHI.
De-Identifying Data – When is Information No Longer PHI or ePHI?
At this point, now with an understanding of what PHI and ePHI are, we should mention the privacy rule 45 CFR 164.514. We don’t need to deconstruct the full requirements, which are quite lengthy—instead, we’ll focus on the list of the 18 identifiers noted in 45 CFR 164.514(b)(2) for data de-identification as well as a related common misconception.
Data de-identification is the process of removing identifiers from health information so as to mitigate privacy risks to individuals. If you understand that, it’s easy to see how some might confuse those 18 “identifiers” in this privacy rule as, if present, concrete certainties for classifying something as PHI.
But that’s not the case. As we noted above, despite these identifiers, context remains paramount—there must be a “reasonable basis to believe the information can be used to identify the individual.”
So, this list of 18, at face value, merely states that these identifiers could be used to identify someone, and if fully removed, the information would be considered de-identified. But you’ll need to examine the greater context of your data to determine whether it is PHI.
If it is de-identification you’re after though, there are two methods to achieve it in accordance with the HIPAA privacy rule:
- “Expert Determination” Method: Defined in 164.514(b)(1); and
- “Safe Harbor” Method: Defined in 164.514(b)(2).
For more information on de-identification, the OCR has put out guidance on this topic which can be found here.
Determining if Data is PHI or ePHI
To recap, when determining if data is PHI or ePHI, you need to ask important questions regarding the following:
- What context surrounds the information’s use
- How the information is stored
- Whether or not multiple identifiers could be put together to tie to a health record of an individual.
At the end of the day, trying to link identifiers to an individual’s past, present, or future physical or mental health or condition, and thereby identifying PHI and ePHI, is essentially a game of connecting the dots. But having those answers and a clear understanding of what is considered PHI/ePHI is very important, as it’s the first step in recognizing your organization’s HIPAA scope.
Without accurate knowledge of what data is considered PHI/ePHI, you’ll face a high likelihood of not properly covering all relevant data and systems as part of your risk analysis and risk management program—the building block of HIPAA compliance, though it’s also often a source of violations.
But now that you understand a bit better how to identify the PHI/ePHI in your systems, you’re better positioned to avoid any related penalties. For more information that can help simplify your HIPAA compliance, check out our other content on different relevant topics:
About DOUG KANNEY
Doug Kanney is a Principal at Schellman based in Columbus, Ohio. Doug leads the HITRUST and HIPAA service lines and assists with methodology and service delivery across the SOC, PCI-DSS, and ISO service lines. Doug has more than 17 years of combined audit experience in public accounting. Doug has provided professional services for multiple Global 1000, Fortune 500, and regional companies during the course of his career.