What is ePHI? What your electronic health data means for you

Modern healthcare makes medical information easier to access, share, and manage online. But as records move through patient portals, provider systems, billing platforms, and connected services, it can be harder to know which data is protected, who can access it, and what rules apply.

This article explains what electronic protected health information (ePHI) is, what can happen to your information, and what rights patients have. It also outlines practical steps to help reduce exposure when accessing, storing, or sharing health data.

Please note: This article is for educational purposes only and does not provide legal, medical, or healthcare guidance.

What is ePHI?

ePHI is protected health information that's created, received, maintained, or transmitted electronically by a Health Insurance Portability and Accountability Act (HIPAA)-covered entity or business associate. It can include medical records, lab results, prescriptions, and billing details from clinics and similar providers.

HIPAA sets requirements for how covered entities and business associates handle protected health information.

However, digital data held by non-covered companies generally doesn’t qualify as ePHI under HIPAA, unless the company is acting as a business associate for a covered entity. This can include some information from consumer health-tracking apps, life insurance providers, or employers, depending on who holds the data and why.

ePHI can support faster access to records, care coordination, billing, and patient portal services. Doctors can more easily find records and share updates with other authorized teams, while patients may have online access to some of their information through patient portals, making it easier to review or share records with new providers.

How ePHI differs from PHI

Protected health information (PHI) is HIPAA-regulated patient data related to a person’s health, care, or payment for care. It can exist in any form, including paper records, verbal communication, or electronic records.

PHI encompasses ePHI, so both contain the same types of patient data and identifiers, like:

• Patient names.
• Home addresses.
• Dates of birth or treatment dates.
• Phone numbers or email addresses.
• Social Security numbers (SSNs).
• Medical images, such as X-rays or ultrasounds.
• Billing claims or account numbers.

Where ePHI is stored and shared

ePHI is part of a broad digital healthcare ecosystem. Related health, billing, and identity data can be stored and shared across multiple platforms to support faster access to information and smoother, interconnected services:

• Electronic health records (EHR): An EHR contains the information a provider uses during care, including treatment notes, medical history, medications, and lab results. EHR data may be stored in a provider’s local system or a cloud server.
• Patient portals and covered apps: A provider’s official website or app can give patients remote access to EHR information. When a covered provider, health plan, or business associate handles this information electronically, it may contain ePHI.
• Telehealth platforms: Health information shared during a telehealth can be an ePHI when it's handled electronically by a covered provider or business associate. Intake forms, follow-up messages, or e-prescriptions may also contain ePHI. The provider may share related records with a health plan for billing or insurance.
• Insurance and billing systems: These systems store ePHI associated with claims, coverage, and payments. They can reveal the care a patient received, the provider that billed for it, and the insurer that covered it.
• Labs, pharmacies, and other covered care providers: Labs may receive electronic test orders and send results to healthcare providers, who add them to patient EHRs or portals. Pharmacies can store digital prescription records and insurance details. Clinics, hospitals, labs, pharmacies, and other covered providers may share ePHI to support treatment, payment, or healthcare operations.

Why criminals target ePHI

Cybercriminals may target ePHI because digital data is easy to copy and distribute, and EHRs contain sensitive health, identity, billing, and insurance details.

HIPAA's Security Rule requires entities and business associates to protect the confidentiality, integrity, and availability of ePHI. This includes administrative, physical, and technical safeguards, such as access controls, audit controls, authentication, integrity protections, and encryption where appropriate, to reduce unauthorized access, disclosure, or improper changes to patient records.

Here are some ways cybercriminals may use ePHI.

Medical identity theft

Medical identity theft occurs when someone uses another person’s personal or insurance information to get medical care, prescription drugs, medical devices, or to submit insurance claims. Personal details such as a name, SSN, health insurance account number, or Medicare number can be used to impersonate someone or bill services under their name. This can lead to unfamiliar bills, insurance problems, credit issues, or inaccurate medical records.

Insurance and prescription fraud

Criminals can use stolen health insurance account numbers to submit false claims or obtain services, supplies, or prescriptions under someone else’s account. This can affect patients, providers, insurers, and government programs and may create problems with billing records or future benefits.

Blackmail and extortion

Medical records can contain sensitive details about a person’s health and treatment history. If exposed, that information may create privacy or reputation risks. Cybercriminals may use sensitive diagnoses, records, or threats of disclosure for extortion.

How ePHI may get exposed

Sensitive information can be exposed when it's accessed, used, disclosed, or shared without authorization or permission. Common causes include human error, technical issues, and cyberattacks.

Data breaches and unauthorized access

Some data breaches involve malicious attacks. Hackers can use malware, such as infostealers, to gain unauthorized access to providers’ servers and steal databases or patients' EHRs. They can also use ransomware to lock files, making medical records inaccessible.

The same can happen to vendors or business associates that handle ePHI for covered organizations. If a vendor’s system has a vulnerability, the patient data it handles can also be exposed.

Phishing and stolen login details

Phishing can target patients through emails, text messages, and phone calls that impersonate legitimate healthcare providers.

These deceptive communications often direct people to fake online portals designed to steal credentials. Once hackers gain access to these patient portals, they can view medical histories and linked information, like health insurance details.

Unexpected requests for insurance numbers, SSNs, portal passwords, or payment details can be a red flag, especially when the message creates a sense of urgency or asks the recipient to use an embedded link.

Accidental sharing

Sometimes, unintended exposure happens due to simple oversights or misunderstandings about digital privacy. This can occur when patients store or send sensitive records without safeguards.

For instance, health information stored in a personal cloud account can be vulnerable if the cloud provider experiences a breach or if the folder is accidentally left publicly accessible. Similarly, sensitive data sent through unsecured or improperly configured email and messaging channels may be exposed, forwarded, or accessed by unintended recipients.

Exposure can also occur when people share health information with digital services that are not covered by HIPAA. These services may still be subject to other privacy or consumer protection laws, but their data practices depend on the app’s privacy policy, permissions, business model, and applicable laws.

What to do if you receive an ePHI breach notification

Under HIPAA, covered entities must notify affected individuals after a breach of unsecured protected health information. If the breach happens at a business associate, the business associate must notify the covered entity. Receiving this notice generally means the organization determined that identifiable health information was involved and that notification was required under HIPAA’s Breach Notification Rule.

To understand exactly how this may apply, here are the next steps to take:

1. Read the notice carefully: The notice should explain what happened, when the event was discovered, what information was involved, and what the organization has done in response. It should also include recommended steps for affected individuals and contact information.
2. Check what information may have been exposed: The specific data involved affects the potential impact. See which electronic records, identifiers, insurance details, or financial information were compromised. An SSN, financial credentials, or insurance details can increase the risk of identity theft more than a name alone.
3. Watch for suspicious activity: Watch for unfamiliar changes, debt collections, changes to credit reports, or unfamiliar medical bills and benefit statements.
4. Use any protection services offered: Review any complimentary support, such as identity monitoring or a dedicated helpline, and note the coverage details and duration. These resources can help monitor for possible misuse, report medical billing errors, and support a recovery plan.
5. Contact the organization with questions: Use the contact information or toll-free number provided to clarify how the breach may affect your specific medical or billing records. If you suspect medical identity theft, contact your healthcare providers and insurers. Request your medical records from any location where your information may have been used. You can use those records to dispute fraudulent entries.

How to protect your health information

Healthcare providers and business associates must protect ePHI stored or shared through their systems. But once health records are downloaded to a personal device or shared with an external app, that copy may no longer be protected in the same way. At that point, protection also depends on the security of your local account, app, and device.

Boost your account security

Securing the portals and cloud services where health data is accessed or stored can help reduce the impact of unauthorized access.

Start with strong password hygiene. Use long and unique passwords for every account. This reduces the risk that a password exposed on one platform can be reused in credential-stuffing attacks to access related accounts.

Consider enabling two-factor authentication (2FA) where available. It adds an extra login step, such as entering a one-time code, an authenticator prompt, or a biometric check. This can reduce the risk of account takeover if a password is compromised.

Professional solutions also exist to help you automate password creation, storage, and monitoring for data breaches.

For example, ExpressVPN's ExpressKeys can generate and store strong, unique passwords and monitor for exposed account information. If a monitored account appears in a leak, it can notify users so they can respond. The app also supports 2FA and passkeys as additional account protections.

Be cautious with health-related emails and texts

Watch out for signs of a phishing attempt. Be especially cautious about messages that use urgency to request personal details, such as claiming health coverage is suspended unless account information is updated immediately.

Avoid unexpected attachments, mismatched links, and requests to send sensitive details via email, text, or other channels not intended for secure healthcare communication.

If a message seems doubtful, verify it by calling the provider through their official phone number. Log in to patient portals by typing the official URL directly into a browser, rather than using embedded links.

Limit what personal health apps can collect

Privacy risk depends less on the app category and more on what data the app collects, whether it syncs to the cloud, which permissions it requests, and whether it shares data with third parties. Apps that use questionnaires, symptom logs, or treatment details may collect particularly sensitive information.

Be selective about the information you share with commercial wellness and fitness apps. If asked to create an account, provide only the minimum required details and opt out of cloud syncing if a local-only storage option is available. When registering, consider using a separate email address rather than the one linked to your healthcare providers.

Restricting app permissions can reduce the amount of data an app can collect or access, though it may not stop all data collection or third-party sharing.

How to better safeguard your important health records

Using encrypted storage is essential if you plan to keep copies of sensitive records.

Consider using a cloud storage provider with end-to-end encryption (E2EE). This can reduce the risk of server-side exposure, though device security, account security, and sharing settings still matter.

For local storage, use password-protected PC archives or secure phone folders. Full-disk encryption can also help protect files stored on the device. These steps can help keep records unreadable if a locked device is lost or stolen, provided the device and storage settings are properly configured.

Your rights as a patient under HIPAA

HIPAA gives individuals specific rights regarding PHI and sets limits on who can access or receive it.

• Right to access your health information: You have the right to view and get copies of PHI about you in a covered entity's designated record set, with some exceptions. This can include medical records, billing records, and health plan records. Covered entities must usually act on these requests within 30 calendar days. If they need more time, they may take one additional 30-day extension if they provide a written explanation and an expected completion date.
• Right to request corrections: You can ask providers or health plans to fix incorrect or incomplete medical and billing records. If they deny your request, they must provide a written explanation, and you have the right to add a formal statement of disagreement to your official file.
• Right to know how your information is used: You can request a privacy notice explaining how a covered entity may use and disclose PHI, what rights you have, and what legal duties the organization has. You may also request an accounting of certain disclosures, though some disclosures are excluded.
• Right to ask for privacy protections: You can request limits on certain uses or disclosures, such as for treatment, payment, or healthcare operations. Covered entities don’t always have to agree, but they must follow restrictions they accept, except in limited situations such as emergencies. You can also request confidential communications, such as asking a provider or health plan to contact you at a different phone number, address, or communication method.
• Right to file a privacy complaint: You can submit a complaint if you believe a covered entity or business associate violated HIPAA Rules. Complaints to the Office for Civil Rights (OCR) generally must be filed within 180 days of when you knew or should have known about the incident, though OCR may waive the deadline for good cause.

FAQ: Common questions about ePHI data