What is ePHI? A Modern Guide to HIPAA Security & Data Protection

Under the Health Insurance Portability and Accountability Act (HIPAA), any information that can be used to identify a patient is considered Protected Health Information (PHI). When that data exists in a digital format—such as a digital medical report, a case ticket in Zendesk, or a patient record in Salesforce—it becomes electronic PHI, or ePHI.

While HIPAA applies the same confidentiality rules to all PHI, ePHI poses unique risks. Because digital data is easily copied, transmitted, and integrated into automated workflows, it requires specific technical safeguards to prevent data breaches. 

What is Protected Health Information (PHI)?

PHI is any health, treatment, or billing information that can be linked to a specific individual.

For data to be considered PHI, it must contain one of the 18 specific identifiers outlined by HIPAA. Common examples include:

•    Names
•    Dates (e.g., birthdates, admission dates, discharge dates)
•    Geographic locations (street address, zip code)
•    Contact numbers (phone, fax)
•    Digital contact info (email addresses, IP addresses, URLs)
•    Identifying numbers (Social Security, medical record numbers, health plan beneficiary numbers)
•    Biometric identifiers (fingerprints, full-face photos)

When can PHI be shared?

Under the HIPAA Privacy Rule, PHI can generally only be used to facilitate medical treatment, payment, and healthcare operations. Exceptions exist (such as court-ordered warrants), but unauthorized disclosure is a violation of federal law.

Note: If medical information is "de-identified"—meaning all 18 identifiers are removed—it is no longer subject to the HIPAA Privacy Rule and can be used for research or case studies.

What is ePHI Security?

ePHI security refers to the Technical Safeguards required by the HIPAA Security Rule to protect the integrity, confidentiality, and availability of patient data.

Because ePHI travels across networks and servers, organizations managing healthcare data must implement digital security best practices, including:

1. Access Control: Ensuring only authorized personnel can access ePHI (e.g., unique user IDs, automatic log-off, granting access only to those with a need to know).
2. Authentication: verifying the identity of the person seeking access (e.g., Strong passwords, Multi-Factor Authentication/MFA).
3. Audit Controls: Recording and examining activity in information systems that contain ePHI to ensure any unauthorized access is prevented or mitigated.
4. Transmission Security: Ensuring ePHI remains protected when it needs to be shared.

Encrypting ePHI for HIPAA Compliance

The most effective way to secure ePHI is encryption. Encryption scrambles data so that it is unreadable to anyone without the correct decryption key.

To meet modern security standards, providers must protect ePHI end-to-end. Whether the data is sitting in a cloud outbox, moving through a gateway, or stored in a SaaS platform like Salesforce, it must remain encrypted. This ensures that even if a network is breached, the patient data remains unintelligible to hackers.

It's important to note that "encrypting PHI" can mean very different things: TLS (transport layer security) is a method of encryption that protects data in transit — usually a couple of seconds while it's sending — but does not provide any further protection. End-to-end encryption, however, ensures that information remains secure even after it reaches its destination. 

Recommended Reading: TLS vs. End-to-End Encryption: What’s the Difference?

Beyond the Portal: How to Secure ePHI in the Cloud

Historically, providers forced patients to log into clunky "patient portals" to view secure messages. However, portals have low adoption rates, frustrate users, and fail to integrate with modern provider workflows.

To support compliance and business efficiency, organizations are moving away from portals and toward data-centric security. This approach attaches security directly to the data itself (whether it's a file, an email, or another piece of data), and it doesn't require users to log into a separate portal to view healthcare information.

This allows providers to protect ePHI across three critical areas:

•    Email Communication: Direct messaging with patients and partners.
•    File Transfer: Sharing large files like X-rays or legal records.
•    Automated Workflows: Managing ePHI inside CRMs and ticketing systems.

Protect ePHI with Virtru: Email, Files, and SaaS

Virtru provides holistic, data-centric encryption that integrates directly into the tools your team uses every day. By combining military-grade encryption with consumer-grade ease of use, Virtru ensures HIPAA compliance without slowing down care delivery.

Here is how Virtru protects ePHI across your ecosystem:

1. HIPAA Compliant Email (Gmail & Outlook)

Virtru allows you to send encrypted, HIPAA-compliant emails directly from your existing inbox. With client-side encryption, ePHI is protected before it leaves your device, preventing cloud providers (like Google or Microsoft) from scanning your patient data. Virtru goes beyond TLS email encryption with stronger access controls and more persistent security that stays with the data. Here's what Jason Karn, Chief Compliance Officer at Total HIPAA, said about using Virtru's email security:

2. Secure File Sharing (Virtru Secure Share)

Emailing large files can be risky and technically difficult. Virtru Secure Share provides a secure, encrypted platform for the intake and sharing of large sensitive files—such as high-res medical imaging or bulk patient history—without file size limits. 

This is also important for software companies like Xealth, which does not deliver healthcare directly, but serve hospital systems and healthcare providers. Xealth uses Virtru Secure Share to send and receive large files of both test ePHI and real ePHI for software deployments. 

3. Automated Compliance (Data Protection Gateway for Salesforce)

Human error causes the majority of data breaches. The Virtru Data Protection Gateway secures ePHI automatically. It sits between your email server and the recipient, scanning outbound traffic. If it detects ePHI (like a Social Security number or diagnosis code), it automatically encrypts the email, ensuring compliance even if the employee forgets.

Here's what Steven Schwartzberg, Director of Information Systems for Tribeca Pediatrics, said about using the Virtru Gateway for Salesforce: 

“Virtru came into the picture in conjunction with our Salesforce implementation. We want to make our communication as consumer-friendly as possible. The healthcare industry is moving that direction, because it’s what patients and families expect. For example, we communicate with a lot of young parents who are used to seamless experiences in other industries.” 

4. SaaS Integrations (Zendesk, Google Drive)

Modern healthcare relies on SaaS platforms, but these are often massive targets for cyberattacks.

• Zendesk: Virtru Secure Share integrates with Zendesk to allow secure, encrypted support ticketing workflows. You can receive PHI via a ticket and reply securely without leaving the Zendesk console.

"Zendesk is not natively HIPAA compliant with email," said Daniel Brundige, VP of IT at Bennie. "A lot of people don't realize that. We have a lot of that back-and-forth requesting and sending in Zendesk. There's lots of different variances in the world of healthcare. We want to do our best to protect our customers and their data. We looked at the [Virtru] platform and it just felt right, looked right, and it worked well. " 

Ready to modernize your HIPAA strategy?

Book a demo today to see how Virtru can protect your ePHI in email, files, Salesforce, and Zendesk.

Frequently Asked Questions about ePHI

Is email considered ePHI?

Email itself is a transmission method, but if the content of the email contains identifiable patient data, that email is ePHI and must be encrypted to comply with HIPAA.

Does de-identified data count as ePHI?

No. If data has been stripped of all 18 HIPAA identifiers (de-identified), it is no longer considered ePHI and is not subject to the Privacy Rule.

Can I use Gmail for HIPAA?

Standard Gmail is not HIPAA compliant on its own. However, by signing a BAA with Google and using a third-party encryption tool like Virtru, you can make Gmail HIPAA compliant.