Do you know where your ePHI is?
By: Chris Cline on Wednesday, February 1, 2012

What is PHI and ePHI?

PHI stands for Protected Health Information. It includes any information that identifies an individual, i.e. includes either the individual's name or any other information that could enable someone to determine their identity and relates to at least one of the following:

  • The past, present or future payments for health care services;
  • The provision of health care to the individual;
  • The individual's past, present or future physical or mental health.

ePHI stands for Electronic Protected Health Information. ePHI is all Protected Health Information which is stored, accessed, transmitted or received electronically.

Where can ePHI be found?
There are many places on a network where ePHI can be found. A few locations such as servers, workstations, laptops, iPads and email are at the forefront when thinking about ePHI, but there are many other possible locations which are also important to take into consideration.

In addition to locations mentioned above, ePHI can also be found on smartphones, phone systems, in the form of recorded calls or voicemails, faxes, removable media such as USB keys, CD and DVDs, backup tapes, external hard drives, etc., and even multifunction devices.

Why is it important to know where my ePHI is?
Knowing where ePHI exists on your network is a critical step in avoiding a breach of information.

What can I do to locate ePHI on my network?

  • Collect an Inventory of Your Computing Infrastructure
    An inventory of hardware and software can provide a clear picture of the potential locations for ePHI.
  • Implement a Data Loss Prevention Product
    Data Loss Prevention (DLP) products can scan servers, workstations and laptops/tablets for ePHI. Most of these products have policies that perform certain actions when ePHI is found on a device. The most common actions for these products are to report, destroy or encrypt.
  • Perform a Security Risk Assessment
    A security risk assessment can help discover any gaps that could potentially create a breach. Security risk assessments should be performed any time when major system changes occur in your infrastructure, as well as on a recurring basis with the schedule being determined by the outcome of previous risk assessments.
  • Implement Policies and Procedures
    Create and implement written policies that determine where ePHI is allowed to exist. Communicate these policies to your staff as part of your regulatory compliance training. Use security risk assessments, data loss prevention products, system inventories or other automated systems to audit that these policies are being followed.


Chris Cline is a Senior Sales Engineer at mindSHIFT Technologies, Inc., based in our Morrisville, NC office.



Charter Schools classroom network e-Rate PARCC Measures of Academic Progress E-rate Modernization Order K-12 schools USAC Universal Service Administrative Company National Education Technology Plan Every Student Succeeds Act Talkin' Cloud MSPmentor Managed IT Services VoIP Business Phone Systems CRM Customer Relationship Management security encryption BYOD mobile devices tablets cell phones IT security penetration testing pen testing vulnerability assessment vulnerability testing security audit Anti-virus malware ransomware Mobile device management MDM tablet security mobile phone security smartphone security Password security best practices Trade associations IT support computer management cybersecurity business continuity disaster recovery data backup virtual desktop cloud desktop Cloud computing backup apps applications business growth Enterprise Web Protection Enterprise Threat Protection cybercrime spyware advanced persistent threats malvertising watering holes threat intelligence Nonprofit organizations charities Financial services secure desktop Wi-Fi data security phishing managed service provider MSP Computer support computer consultant tech support Hybrid cloud public cloud private cloud APTs AWS Amazon Web Services Sitecore CMS content management systems personalization social engineering spear phishing cyber security cyber safety email security VDI desktop in the cloud Windows Server 2003 Hosted Exchange Office 365 IT outsourcing outsource IT IT services cloud services cloud hosting desktop managed services Law firm IT Legal IT LegalTech IT Services for Law Firms SharePoint SharePoint migration SharePoint 2013 SharePoint 2010 SharePoint 2007 professional services infopath managed services legal IT solutions Small Business IT SMB IT Windows Server 2003 EOL cloud servers WinShock Windows vulnerability disaster planning disaster preparedness hurricane season email backup server backup cloud backup email encryption data encryption data breach HIPAA Heartbleed OpenSSL website security Windows XP desktop as a service DaaS software application hosting ISV SaaS Bring your own device smartphone hacker smartphone malware IT consulting IT strategy IT Management Services desktop virtualization Education IT Solutions IT management IT staffing Intranet Office 15 migration Collaboration Business Intelligence Apple® iOS 7® operating system iPhone® 5s iPhone® 5c iPhone® 4g iPhone® 4s iPad® 2 iPad mini iPod® touch hosted cloud services data center IT support healthcare IT ePHI enterprise mobility management tablet pc security app security smart phone compliance hosted mobile device management SaaS MDM mobile content management MCM cloud mobile device management mobile application management Sitecore CMS Content Management System Telligent social marketing social media communities desktop backup laptop backup IBMi Power Systems iSeries AS/400 System I Power 7+ AIX Maxava iTera Mimix Vision Solutions Sitecore CMS 6.5 Hosted Desktop compliance Document Management Virtualization videos customer testiomonials Green IT cloudshift Protected Health Information regulatory compliance Desktop vitrualization EHR Electronic Health Records