Awareness article
ePHI vs PHI: Key Differences Explained
The practical differences between PHI and ePHI, which HIPAA rules apply to each, and why small clinics should care about the distinction.
Short answer
PHI is any individually identifiable health information held or transmitted by a covered entity or business associate. ePHI is the electronic subset. The Privacy Rule covers all PHI; the Security Rule applies specifically to ePHI.
HIPAA terminology can feel redundant until a breach turns on a word. PHI and ePHI are not interchangeable. The difference determines which rules apply, which safeguards you owe, and where audit scrutiny tends to land.
The short version
PHI is Protected Health Information. It is defined in 45 CFR 160.103 as any individually identifiable health information held or transmitted by a covered entity or business associate, regardless of format.
ePHI is the electronic subset. It is PHI that is created, received, stored, or transmitted in electronic form.
| Category | Format | Primary rule | Example |
|---|---|---|---|
| PHI (non-electronic) | Paper, oral | Privacy Rule | A paper intake form; a hallway conversation about a patient |
| ePHI | Electronic | Privacy Rule + Security Rule | An email, an EHR entry, a digital x-ray, a voicemail stored as a file |
For a plain-English walkthrough of the parent term, see What Does PHI Stand For.
Which HIPAA rules apply
The Privacy Rule (45 CFR Part 164 Subpart E) governs uses and disclosures of all PHI. It applies whether information sits in a chart, on a sticky note, or in a cloud storage bucket.
The Security Rule (45 CFR Part 164 Subpart C) applies only to ePHI. It requires three categories of safeguards:
- Administrative safeguards such as workforce training, access management, and contingency plans.
- Physical safeguards such as facility access controls and workstation security.
- Technical safeguards such as access controls, audit controls, integrity controls, transmission security, and encryption.
The Breach Notification Rule applies to both PHI and ePHI. A lost paper chart and a misdirected email can both be reportable.
Real examples
A few scenarios clarify where the line sits.
Paper PHI (Privacy Rule only). A printed superbill left on a counter. It is PHI. Lose it and you may have a breach. The Security Rule is not the governing standard.
Oral PHI (Privacy Rule only). A front-desk conversation where a patient’s diagnosis is audible in the waiting room. The “minimum necessary” standard and reasonable safeguards apply. The Security Rule does not.
ePHI (Privacy Rule plus Security Rule). A patient’s lab result attached to an email, a chat message referencing a visit, a calendar event titled with a patient name and procedure. Each is ePHI and triggers Security Rule obligations including access control and audit logging. See PHI in Email and PHI in Shared Calendars for common failure modes.
Voicemail nuance. A voicemail left on a digital phone system is ePHI. The same content as a live phone call is oral PHI.
Why the distinction matters for small clinics
Three practical reasons.
-
Technical safeguards are enforceable. The Security Rule requires specific controls for ePHI: unique user IDs, automatic logoff, emergency access, audit controls, and transmission security. These are the items OCR reviews during an investigation.
-
Volume lives in ePHI. A paper chart holds one patient’s record. An unsecured cloud drive can hold thousands. Blast radius on the electronic side is larger, which is why most enforcement actions and breach reports involve ePHI.
-
Vendor risk is ePHI risk. Every SaaS tool that touches patient information is handling ePHI. Each needs a BAA and must support the Security Rule’s technical safeguards. A vendor that cannot meet those standards should not hold ePHI.
Where teams get confused
A few recurring traps worth flagging:
- “We only use paper, so Security Rule does not apply.” True only if the practice also does not email, fax digitally, or store any electronic claims. Most clinics have ePHI the moment they bill a payer electronically.
- “Encryption is optional.” Encryption is an addressable specification under the Security Rule, not a free pass. If encryption is not implemented, the practice must document why and use an equivalent safeguard. The HHS Security Rule summary explains the addressable versus required distinction.
- “Business associates are covered by their own BAA, so we do not need controls.” The covered entity remains accountable. A BAA is necessary, not sufficient.
Next steps
If a clinic is unsure where its ePHI lives, a tool inventory is the first move. Every application that stores, transmits, or processes patient information needs to be on that list, with a BAA status and a mapped Security Rule safeguard. PHIGuard was built to keep that inventory and the work tied to patient context in one auditable place. See /hipaa and compare against the risks described in PHI in CRM Records.
PHI Fundamentals
Core PHI and ePHI definitions, identifiers, edge cases, and data-classification concepts healthcare teams need before tool selection.
HIPAA and Wearable Devices: When Fitbit and Apple Watch Data Is PHI
HIPAA and wearable devices: when Fitbit, Apple Watch, and Garmin data becomes PHI, what BAA obligations arise, and how FTC rules cover gaps HIPAA doesn't.
Building a HIPAA-Compliant AI Use Policy for Your Clinic
How to build a HIPAA-compliant AI use policy for your clinic: approved tools, BAA requirements, prohibited inputs, staff training, and OCR's guidance on AI.