PHI vs. ePHI: Is there a Difference?

Protected Health Information (PHI) has been in the news a lot lately, as people become concerned about what information is ok to reveal, and what is not. (Vaccine status, anybody?) Let’s review exactly what protected health information is, and what it isn’t. As technology advanced and electronic medical records became commonplace, a new category of PHI called electronic PHI (ePHI) emerged, and we will cover that too.


Under HIPAA, PHI is considered to be “any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity.”  HIPAA-covered entities are healthcare providers, insurance providers, or a business associate of a HIPAA-covered entity. An example of a business associate would be a sub-contracted service, like a medical coding company.

Consequently, any information related to your health – test results, medical history, and personal identifiers like your name or social security number are considered PHI. One or more of these identifiers turns your information into PHI, meaning it must be kept secure under HIPAA Privacy Rules.

There are 18 specific types of patient identifiers:

NamesDates, except year
Telephone numbersGeographic data
Fax numbersSocial Security numbers
Email addressesMedical record numbers
Account numbersHealth plan beneficiary numbers
Certificate/license numbersVehicle identifiers
Web URLsDevice identifiers and serial #
Internet protocol addressesFull face photos and comparable images
Biometric identifiers (fingerprint, retinal scan)Any unique identifying number or code


ePHI works the same way as PHI does, but it includes information that is created, stored, or transmitted electronically. This could include systems that operate with a cloud database or transmitting patient information via email. Special security measures must be in place, such as encryption and secure backup, to ensure protection. There have been several high-profile breaches of ePHI in recent years, resulting in 6 and 7-figure financial penalties.


Some types of information do NOT fall under HIPAA rules as PHI or ePHI, and it is important to know those as well. Sometimes the presence of any medical-related information at all is lumped under PHI, when that is not the case. To determine if information is indeed PHI, use the following guidelines:

  1. Who recorded the information?  If it is self-recorded, such as on a smart watch or app, then it is typically not HIPAA unless connected to a healthcare provider or insurance plan.
  2. Is the information part of your education or employment records?  Since these types of entities are not covered under HIPAA. For example, if your employer keeps records of allergies or vaccinations, this is not PHI.
  3. Does it contain identifiers? If information is stripped of all identifiers, such as that used for population health or research, then it is no longer PHI.

The healthcare world runs on information – records, history, forms, demographics, and reports. Maintaining HIPAA-compliant electronic forms can become a full-time job unless the right partner is involved. As virtual and telehealth communication become commonplace, more and more “paperwork” is handled electronically. FormDr makes sure this sensitive ePHI is protected, easy to use, and always secure.