What is Considered PHI or ePHI?

You probably come across the phrases PHI and ePHI frequently if you work for a company that is governed by HIPAA (Health Insurance Portability and Accountability Act).

But what are they actually, and do they differ from one another? And how do you specify what qualifies as PHI or ePHI? Although they seem simple, these questions might be challenging to answer.

What is PHI?

According to HIPAA, "all identifiable health information that is used, maintained, stored, or communicated by a HIPAA-covered entity" is referred to as PHI (Protected Health Information). Healthcare providers, insurers, or associates of a HIPAA-covered entity are examples of HIPAA-covered entities.

Additionally, any type of data or information pertaining to your health is regarded as PHI.

Test results, medical history, and private information like your name or social security number might all be included on this list. The HIPAA Privacy Rules state that certain personal identifiers must be kept private.

There are 18 unique patient identification numbers. Those are


Dates, except year

Telephone numbers

Geographic data

Fax numbers

Social Security numbers

Email addresses

Medical record numbers

Account numbers

Health plan beneficiary numbers

Certificate/license numbers

Vehicle identifiers

Web URLs

Device identifiers and serial #

Internet protocol addresses

Full face photos and comparable images

Biometric identifiers (fingerprint, retinal scan)

Any unique identifying number or code

What is an ePHI?

Electronic Protected Health Information, or ePHI, is PHI that is created, stored, or sent electronically. Organizations were told to put new security measures in place to preserve the data and guarantee its sanctity and integrity once ePHI was first established in the HIPAA Security Rule.

ePHI can be found in many different digital formats, including cloud-based systems, email-based patient data sharing, and data stored on hard drives, computers, and flash drives. To protect ePHI from hackers and breaches, protocols must be regularly updated.


There are other pieces of information that are similarly significant but do not qualify as PHI or ePHI. Use the following rules to determine what is covered by PHI/ePHI:

Who made the recording of the data? HIPAA generally does not apply to self-recorded data on smart devices or apps unless they are linked to a healthcare practitioner or insurance plan.

Is the information contained in your records of work or education? HIPAA does not apply to these. Your allergies may be noted by your employer, but they won't be considered PHI.

Does the data include any personal identification numbers? If not, it won't be accepted by PHI or ePHI. Typically, scenarios like population health studies make use of such data.

Leave a Reply

Your email address will not be published. Required fields are marked *