Does encrypted ePHI still count as PHI?

Yes - encryption protects against unauthorized access but does not remove HIPAA status. Encryption does, however, provide Safe Harbor against the Breach Notification Rule for lost/stolen media.

All terms

CybersecurityConnected & Cyber-Physical Devices

PHI and ePHI

Individually identifiable health information (PHI) and its electronic form (ePHI) - the data class HIPAA protects.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

Definition

Protected Health Information (PHI) is individually identifiable health information held or transmitted by a HIPAA Covered Entity or Business Associate, in any form. Electronic PHI (ePHI) is PHI in electronic media. PHI includes the 18 HIPAA identifiers (names, dates, geographic subdivisions smaller than state, contact info, SSNs, MRNs, biometric identifiers, and more) when linked to health information.

What the regulation says

The HIPAA Privacy Rule governs use and disclosure of PHI; the Security Rule governs the technical/administrative/physical safeguards for ePHI. HHS OCR enforces both. De-identification under the Safe Harbor standard (removal of all 18 identifiers) or Expert Determination removes data from PHI status.

What this means in practice

MedTech architects should map every data field in the device and back-end against the 18 identifiers and design data flows to minimize PHI surface area. Common patterns: de-identify telemetry at source, segregate identified-data services, encrypt every PHI store, and log every PHI access.

Common pitfalls

•Treating MAC addresses or device serial numbers as non-identifying - they can re-identify when linked to other data.
•Pseudonymizing PHI and calling it de-identified - pseudonymization is not de-identification under HIPAA.

Frequently asked questions

By itself, no. Combined with health information about the patient using that device, it can re-identify and become PHI.

Primary references

3 sources

Link health: 2 verified 1 bot-blocked· last checked 2026-05-09

HHS OCR·2FDA·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Sources: 3
Updated: 5/5/2026

Compare with another term

Learn in 60 seconds

Individually identifiable health information (PHI) and its electronic form (ePHI) - the data class HIPAA protects.

·MedTech architects should map every data field in the device and back-end against the 18 identifiers and design data flows to minimize PHI surface area.
·Common patterns: de-identify telemetry at source, segregate identified-data services, encrypt every PHI store, and log every PHI access.
·Electronic PHI (ePHI) is PHI in electronic media.

Remember this

Watch out: Treating MAC addresses or device serial numbers as non-identifying - they can re-identify when linked to other data.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.