Above–Threshold ePHI systems

Please review and familiarize yourself with the Compliance Information and Compliance Requirements. You are responsible for complying with these requirements.


All above–threshold ePHI systems must be registered and entered into the University System Inventory Database. This database is maintained by the Information Security Office (ISO) which records System Owners’ or their designees’ self–assessment information for each above–threshold ePHI system. The ISO and University Auditing use the Above–Threshold ePHI System Inventory Database to identify above–threshold systems for sampling audits and, during those audits, for accuracy of the self–assessments.

A reference guide for system administrators and additional documentation is available for system administrators and data owners.

What is an above–threshold ePHI system?

An above–threshold ePHI is a system that creates, accesses, transmits or receives:

  1. Primary source ePHI,
  2. ePHI critical for treatment, payment or health care operations or
  3. Any form of ePHI where the host system is configured to allow access by multiple people.
Examples include:
  • Personal computer with a Microsoft Access database containing ePHI that is configured to allow access by more than one person,
  • Departmental server containing ePHI,
  • Computer system used to create, access, transmit or receive ePHI that is configured to allow access by a non–Yale vendor/contractor,
  • Clinical care system which contains primary source ePHI, and
  • Billing system which is critical for clinical operations.

How do I register an above–threshold ePHI system?

Fill out the online registration form.