During a 2023 OCR investigation, a mid-sized cardiology practice received a $1.5 million penalty — not because of a sophisticated cyberattack, but because staff routinely emailed patient lab results using unencrypted personal Gmail accounts. The practice argued that employees didn't realize those emails contained electronic protected health information. That excuse didn't hold up. If your workforce can't answer the question which of the following is an example of ePHI, your organization faces the same risk.
Which of the Following Is an Example of ePHI? The Definitive Answer
On HIPAA training assessments, the question often appears in multiple-choice format: Which of the following is an example of ePHI? Common answer options include a patient's name stored in an electronic health record, a paper prescription pad, a verbal conversation in a hallway, or a hospital's street address.
The correct answer is a patient's name stored in an electronic health record. More precisely, ePHI is any protected health information that is created, received, maintained, or transmitted in electronic form. A patient's name linked to diagnostic codes in an EHR, a digital X-ray stored on a PACS server, a billing record in a claims database — all qualify as ePHI.
Paper records and verbal communications are covered by the HIPAA Privacy Rule, but they fall outside the HIPAA Security Rule's scope. The Security Rule (45 CFR Part 164, Subparts A and C) applies exclusively to electronic protected health information.
What Makes Data Qualify as ePHI Under HIPAA
Two conditions must be met simultaneously. First, the information must be individually identifiable health information — data that relates to a patient's health condition, healthcare provision, or payment for care and identifies or could reasonably identify the individual. Second, that data must exist in electronic media.
Electronic media includes hard drives, USB drives, cloud servers, email systems, mobile devices, and any removable or transportable digital storage. The definition under 45 CFR §160.103 is deliberately broad. If the information passes through or rests on an electronic device at any point, it's ePHI during that phase.
Here's where healthcare organizations consistently struggle: they underestimate how many systems contain ePHI. Voicemail systems that digitize messages, fax servers that store transmissions electronically, patient portals, wearable device data synced to provider platforms — all of these house ePHI and must be secured accordingly.
Common Examples Your Workforce Should Recognize
- Patient demographics (name, date of birth, Social Security number) stored in an EHR system
- Lab results transmitted electronically between a reference lab and a provider
- Digital images (MRIs, CT scans, dental X-rays) on imaging servers
- Insurance claims submitted through electronic clearinghouses
- Appointment reminders sent via email or text that include health details
- Billing records in a practice management system
- Patient health data collected by a mobile health app connected to a covered entity
Anything on this list falls under the HIPAA Security Rule's full set of administrative, physical, and technical safeguards.
Why Misidentifying ePHI Creates Real Compliance Gaps
If your workforce doesn't know what ePHI looks like, they can't protect it. OCR enforcement actions consistently reveal a pattern: organizations fail to include all ePHI repositories in their risk analysis — the foundational requirement of the Security Rule under 45 CFR §164.308(a)(1).
In my work with covered entities and business associates, I see the same mistake repeated. An organization conducts a risk analysis that covers the EHR but ignores the scheduling system, the cloud-based billing platform, or the physician's personal tablet. Each overlooked system is an unmanaged risk — and an invitation for an OCR corrective action plan.
Between 2020 and 2024, OCR settled or imposed penalties in dozens of cases where inadequate risk analysis was a primary finding. The minimum necessary standard also comes into play: workforce members who can't identify ePHI are unlikely to limit their access and use of it to only what their role requires.
The Security Rule Safeguards That Protect ePHI
Once your organization has accurately identified where ePHI lives, the Security Rule requires three categories of safeguards:
Administrative Safeguards
These include your risk analysis, risk management plan, workforce training, and sanction policies. Every workforce member — not just clinical staff — must understand how to handle ePHI. Front desk staff, billing specialists, IT contractors, and business associates all interact with electronic protected health information.
Physical Safeguards
Facility access controls, workstation security, and device and media controls ensure that physical access to systems containing ePHI is restricted. A laptop left in an unlocked car isn't just a theft risk — it's a potential HIPAA breach if ePHI is stored on that device.
Technical Safeguards
Access controls, audit controls, integrity controls, and transmission security form the technical backbone. Encryption is addressable — not optional. If your organization decides not to encrypt ePHI in transit or at rest, you must document an equivalent alternative measure. OCR has made clear in multiple guidance documents that foregoing encryption without documented justification is indefensible.
The Workforce Training Requirement Most Organizations Underestimate
Under 45 CFR §164.530(b), covered entities must train all workforce members on HIPAA policies and procedures. Under the Security Rule at §164.308(a)(5), security awareness training is a required administrative safeguard. These aren't suggestions — they're mandates.
Yet I regularly encounter organizations where training consists of a single onboarding video that hasn't been updated since 2018. That approach fails to address evolving threats like phishing attacks targeting ePHI, ransomware, and social engineering tactics that exploit workforce members who can't distinguish ePHI from non-regulated data.
Effective training ensures every team member can answer questions like which of the following is an example of ePHI without hesitation. If you're looking to build that competency across your entire organization, HIPAA training and certification programs provide structured, up-to-date content that addresses both Privacy Rule and Security Rule requirements.
Practical Steps to Lock Down ePHI Across Your Organization
Start with a comprehensive, current risk analysis that maps every system, device, and application where ePHI is created, received, maintained, or transmitted. Don't limit your scope to the EHR — include cloud services, mobile devices, email platforms, and any business associate systems that touch your data.
Implement role-based access controls so workforce members access only the minimum necessary ePHI for their job functions. Monitor access logs regularly. Encrypt ePHI at rest and in transit unless you've documented a defensible alternative.
Update your Notice of Privacy Practices to accurately describe how your organization uses and discloses PHI, including electronic disclosures. Review business associate agreements to confirm they address ePHI security obligations explicitly.
Finally, invest in ongoing workforce education. A single annual training session isn't sufficient when threat landscapes change quarterly. Platforms like HIPAA Certify help organizations maintain continuous compliance readiness with workforce-wide training that covers ePHI identification, handling, and incident response.
ePHI Identification Is the Foundation of HIPAA Security
Every safeguard in the Security Rule depends on your organization's ability to accurately identify what constitutes ePHI. Miss a system, overlook a device, or fail to train a single workforce member, and you've introduced a gap that OCR can — and does — penalize. The question which of the following is an example of ePHI isn't just a training quiz item. It's the baseline competency that separates compliant organizations from the next enforcement headline.