Protected health information in electronic form (ePHI) is any individually identifiable health information that's created, received, maintained, or transmitted in digital format by covered entities under HIPAA.
What are some examples of electronic PHI?
Electronic PHI covers any individually identifiable health data in digital form, like electronic health records, digital imaging files, and encrypted email communications tied to a patient’s health status, treatment, or payment.
Think digitized medical charts, X-rays stored on PACS systems, lab results sent through secure portals, appointment reminders via SMS, or telehealth visit recordings. The HIPAA Security Rule specifically includes these digital formats under ePHI when they contain identifiers such as names, dates, or account numbers. According to the U.S. Department of Health & Human Services (HHS), ePHI must be protected whether it’s sitting on a server (at rest) or being shared (in transit).
What does PHI stand for?
PHI stands for Protected Health Information, which includes any data about a person’s health status, healthcare services received, or payment details that can be tied to an individual.
This term comes straight from the HIPAA Privacy Rule and applies to all forms of health information—whether it’s on paper, spoken, or electronic—held by covered entities like hospitals, insurers, and pharmacies. The HIPAA Journal points out that PHI can include pretty much any detail that identifies someone in relation to health data, such as a birthdate, medical record number, or even biometric data. As of 2026, HIPAA remains the gold standard for protecting this information across the U.S. healthcare system.
Can PHI be sent electronically?
Yes—PHI can absolutely be sent electronically, but only if you’ve got the right safeguards in place to protect its confidentiality, integrity, and security, as required by the HIPAA Security Rule.
The HHS has made it clear that email isn’t banned under HIPAA, as long as it’s encrypted or otherwise secured. That said, basic email services like Gmail or Outlook without encryption don’t meet HIPAA standards. Healthcare providers usually rely on secure messaging platforms, encrypted portals, or virtual private networks (VPNs) to send ePHI safely. Skip the proper security, and you’re looking at civil penalties or fines. The Office of the National Coordinator for Health Information Technology (ONC) strongly recommends using HIPAA-compliant email services with end-to-end encryption and audit controls.
What counts as PHI in an EMR?
In an electronic medical record (EMR), PHI includes any individually identifiable information used to diagnose, treat, or bill for healthcare services, all stored digitally by providers.
That covers patient demographics, medical history, lab results, imaging reports, medication lists, immunization records, and insurance details. Any data in an EMR that can identify a patient—like name, date of birth, or Social Security number—counts as PHI. The HealthIT.gov Playbook makes it clear that even structured data like ICD-10 codes or CPT codes linked to a patient identifier fall under PHI. To keep this information safe in EMR systems, you’ll need proper access controls, audit logs, and encryption.
What’s the difference between ePHI and PHI?
PHI is any health information that identifies an individual, while ePHI is just the electronic version of PHI that’s created, stored, or transmitted digitally under the HIPAA Security Rule.
All ePHI is PHI, but not all PHI is ePHI. For instance, a paper medical chart is PHI but not ePHI, while a scanned copy of that chart stored on a server is both. The HIPAA.com guide spells out that ePHI comes with extra security requirements, including access controls, integrity safeguards, and transmission security. Healthcare organizations need to implement technical, physical, and administrative safeguards to keep ePHI from falling into the wrong hands.
How do you protect electronic PHI?
Lock down ePHI with strong passwords, encryption, multi-factor authentication, and strict access controls for both physical and digital spaces.
Use secure file-sharing tools, firewalls, and antivirus software, and keep logs of every access to ePHI systems. Train your staff on phishing risks and clean-desk policies to prevent unauthorized viewing. The HHS Security Guidance suggests encrypting ePHI both at rest and in transit, using VPNs for remote access, and running regular risk assessments. Physical safeguards include locking computer workstations when unattended, using privacy screens, and storing portable devices like tablets securely.
Why does PHI matter so much?
PHI matters because it holds sensitive personal and medical details that, if leaked, can lead to identity theft, insurance fraud, or serious reputational damage, and cybercriminals love targeting it.
The American Hospital Association reports that health records are up to 20 times more valuable on the black market than credit card numbers. HIPAA forces covered entities to implement safeguards for PHI, and violations can cost up to $1.5 million per year per incident. Beyond legal trouble, breaches erode patient trust, drive away business, and tank reputations.
What’s the best example of PHI?
A solid example of PHI is a patient’s full name, date of birth, address, phone number, Social Security number, medical diagnosis, treatment dates, and health insurance details, all bundled into one record.
Even a single unique identifier—like a patient’s full name paired with their medical record number—can count as PHI. The HHS PHI Guidelines list 18 identifiers that, when linked to health data, make it PHI. These include biometric data, email addresses, account numbers, and any geographic subdivision smaller than a state. In practice, most patient records contain multiple PHI elements.
Is a patient’s name alone considered PHI?
No—a patient’s name by itself isn’t PHI unless it’s tied to health information, treatment details, or payment data.
For example, a name in a public directory or general contact list isn’t PHI. But if the name is linked to a diagnosis (like “John Smith – diabetes follow-up”), it becomes identifiable health information and falls under HIPAA protection. The HealthIT.gov resource makes it clear that context is everything: isolated identifiers aren’t PHI, but combine them with health-related data, and they are. This is often called “linked information.”
What’s the safest way to share PHI?
The safest way to share PHI is through encrypted, password-protected platforms with audit trails, like secure patient portals, encrypted email, or HIPAA-compliant messaging apps.
Skip standard SMS, unencrypted fax, or regular email for PHI. Always include a confidentiality banner like “This message contains protected health information—intended only for authorized recipients.” Double-check the recipient’s identity and encrypt any attachments. The ONC Safeguards Guide recommends tools that comply with the HIPAA Security Rule, including end-to-end encryption and secure authentication. Whenever possible, get patient consent and document all disclosures.
Is PHI only digital?
No—PHI isn’t limited to digital formats; it includes all forms of individually identifiable health information, whether on paper, spoken aloud, or stored electronically.
While the HIPAA Security Rule specifically covers electronic PHI (ePHI), the broader HIPAA Privacy Rule protects all PHI, including paper records, oral communications, and even text messages if they contain identifiable health details. The HIPAA Journal notes that telephone calls about a patient’s diagnosis, whiteboard notes in a nursing station, or printed lab results are all PHI. Only ePHI, though, must meet the Security Rule’s technical safeguards.
What happens when a patient asks for a copy of their PHI?
When a patient requests their PHI, providers must hand it over within 30 days, with a possible one-time 30-day extension under specific conditions.
The patient can ask for the information in their preferred format—paper, electronic, or a summary—if it’s easy to produce. Providers can charge a reasonable fee for copying and mailing but can’t deny access just because of unpaid bills. According to the HHS Right of Access Fact Sheet, failing to comply can lead to enforcement actions. Covered entities must also keep records of the request and when access was granted or denied.
What are the three HIPAA rules?
The three HIPAA rules are the Privacy Rule, Security Rule, and Breach Notification Rule, each tackling different aspects of health information protection.
The Privacy Rule sets the rules for when and how PHI can be used or shared. The Security Rule outlines safeguards for protecting ePHI, including technical, physical, and administrative measures. The Breach Notification Rule requires covered entities to notify affected individuals, the Secretary of HHS, and sometimes the media within 60 days of discovering a breach involving unsecured PHI. The HHS HIPAA Rules Summary lays out detailed compliance requirements for each rule.
Who’s on the hook for protecting PHI?
Covered entities—healthcare providers, health plans, and healthcare clearinghouses—carry the primary responsibility for protecting PHI, with business associates sharing accountability when they handle PHI on behalf of these entities.
The U.S. Department of Health & Human Services (HHS), through its Office for Civil Rights (OCR), enforces HIPAA and investigates breaches. Every organization needs to appoint a Privacy Officer and a Security Officer to oversee compliance. The HHS Security Rule guidance stresses that accountability extends to every workforce member, not just leadership. Business associates—like cloud storage providers or billing services—must also comply with HIPAA through contractual agreements.
Do initials count as PHI?
Yes—initials can count as PHI if they’re linked to health information or one of the 18 HIPAA identifiers, such as a medical record number or date of service.
The HIPAA Privacy Rule includes “any other unique identifying number, characteristic, or code” as a potential identifier. For example, “JD – 05/2023 – HTN follow-up” (initials, date, and diagnosis) is PHI. The HHS De-Identification Guidance notes that even partial identifiers can become PHI when combined with health data. To use initials safely, make sure no other identifiers are tied to the record and limit access to authorized personnel only.
