ePHI (Electronic Protected Health Information)
Electronic Protected Health Information
PHI that is created, received, maintained, or transmitted in electronic form.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- HIPAA & Privacy
- Acronym for
- Electronic Protected Health Information
- Primary sources
- 4
- Workspace handoff
- sra studio →
Where this comes up
Privacy officers and practice managers handle this — patient rights requests, accounting of disclosures, BAA reviews with new vendors, breach risk assessments after an incident, and OCR responses when a complaint lands. The 60-day breach-notification clock starts at discovery, not at investigation close.
Full definition
What it is in practice
ePHI is the subset of PHI that lives in electronic systems: EHR records, billing software, email, text messages, cloud backups, telehealth platforms, and the laptops or phones that touch them. The HIPAA Security Rule at 45 CFR Part 164 Subpart C applies specifically to ePHI; paper records are still PHI but are governed only by the Privacy Rule.
How it shows up in your practice
Anywhere a clinician types a note, a biller submits a claim, or a front-desk staffer texts a patient, ePHI is in motion. Security Rule obligations — risk analysis, access controls, audit logs, encryption decisions, contingency plans — apply to every system that handles it.
Sources
- 45 CFR 160.103 — Definitionshttps://www.ecfr.gov/current/title-45/section-160.103
- 45 CFR 164.312 — Technical safeguardshttps://www.ecfr.gov/current/title-45/section-164.312
- HHS — HIPAA Security Rulehttps://www.hhs.gov/hipaa/for-professionals/security/index.html
- NIST SP 800-66 Rev. 2 — HIPAA Security Rule Implementation Guidehttps://csrc.nist.gov/pubs/sp/800/66/r2/final
Inventory every ePHI system in SRA Studio
Open sra studio →Related terms
- HIPAA & PrivacyPHI (Protected Health Information)Individually identifiable health information held or transmitted by a covered entity or its business associate, in any form.
- HIPAA & PrivacyHIPAA Security RuleThe federal regulation at 45 CFR Part 164 Subpart C that requires safeguards for ePHI.
- SecurityEncryption at RestCryptographic protection of stored ePHI such that the data is unreadable without the decryption key.
- SecurityAccess ControlsTechnical policies and procedures that allow only authorized persons or software programs to access ePHI.
- SecurityAudit LogA record of system activity (logins, record access, configuration changes) that can be reviewed to detect inappropriate access or system compromise.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryPHI (Protected Health Information)Individually identifiable health information held or transmitted by a covered entity or its business associate, in any form.
- GlossaryHIPAA Security RuleThe federal regulation at 45 CFR Part 164 Subpart C that requires safeguards for ePHI.
- GlossaryAccess ControlsTechnical policies and procedures that allow only authorized persons or software programs to access ePHI.
- GlossaryAudit LogA record of system activity (logins, record access, configuration changes) that can be reviewed to detect inappropriate access or system compromise.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- RegulationNIST Cybersecurity Framework 2.0The 2024 update to the NIST CSF added the Govern function alongside Identify, Protect, Detect, Respond, and Recover — providing a common language for organizational cybersecurity risk management.
- SRAHIPAA Contingency Plan for a Small PracticeWhat the Security Rule contingency plan standard at 45 CFR 164.308(a)(7) actually requires, including data backup, disaster recovery, emergency mode operation, and testing — for a small practice.
- BillingBusiness Associate Agreement Checklist for Small PracticesA working checklist for small practices to identify which vendors need a Business Associate Agreement, what clauses the BAA must contain, and how to track them.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.