Protected health information that is created, stored, transmitted, or received in electronic form, subject to both the HIPAA Privacy Rule and Security Rule.
Electronic protected health information (ePHI) is any protected health information that is created, received, stored, or transmitted in electronic form. While PHI encompasses health information in any medium, including paper and oral communications, ePHI specifically refers to the digital subset. This distinction is important because ePHI is subject to the HIPAA Security Rule in addition to the Privacy Rule. Examples of ePHI include electronic medical records (EMRs), email messages containing patient information, databases with patient demographics or billing data, digital imaging files, and patient information stored in cloud services.
The HIPAA Security Rule was specifically designed to protect ePHI. It requires covered entities and business associates to implement three categories of safeguards: administrative safeguards such as risk analyses, workforce training, and access management policies; physical safeguards such as facility access controls, workstation security, and device management; and technical safeguards such as access controls, audit logging, integrity controls, and transmission security. The Security Rule mandates that organizations ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit, and protect against reasonably anticipated threats and impermissible uses or disclosures.
As healthcare becomes increasingly digital, the volume and distribution of ePHI continues to grow. Organizations must track ePHI across all systems, devices, and transmission channels, including mobile devices, cloud services, telehealth platforms, medical devices, and health information exchanges. Each environment where ePHI exists must be secured according to HIPAA requirements. Organizations should maintain a comprehensive inventory of all systems and devices that create, receive, store, or transmit ePHI, and include each in their risk analysis and risk management processes. Encryption of ePHI both at rest and in transit is an addressable specification but is considered a fundamental best practice that also provides safe harbor from breach notification requirements.