Best practices for storing PHI

Protected health information (PHI) must be stored securely to comply with HIPAA regulations and protect patient privacy.

Why secure PHI storage matters

When healthcare organizations fail to protect this sensitive data, the consequences can be legal, reputational, clinical, and operational. Here’s a deeper look, backed by research and expert insights:

Legal penalties

Storing PHI improperly is a direct violation of the HIPAA Security and Privacy Rules. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) can impose civil monetary penalties ranging from $141 to $71,162 per violation, with an annual cap of $2 million per identical provision.

As of October 2024, the HHS reported that OCR has settled or imposed penalties in 152 cases, totaling approximately $144.9 million. 

State attorneys general can also enforce HIPAA and pursue additional penalties, especially in cases involving negligence or harm to patients.

Go deeper: Legal liabilities associated with a data breach

Loss of patient trust

Patients share personal information with the expectation that it will be protected. A breach due to insecure PHI storage can quickly erode that trust.

A 2018 study, The Effectiveness of Health Care Information Technologies: Evaluation of Trust, Security Beliefs, and Privacy as Determinants of Health Care Outcomes, found that “Trust in health information and belief in the effectiveness of information security safeguards increases perceptions of patient care quality. Privacy concerns reduce patients’ frequency of accessing health records, patients’ positive attitudes toward HIE exchange, and overall perceived patient care quality. Health care organizations are encouraged to implement security safeguards to increase trust, the frequency of health record use, and reduce privacy concerns, consequently increasing patient care quality.” This suggests that secure PHI storage maintains patient trust, encourages engagement with health systems, and ultimately supports better care outcomes. 

Read also: How HIPAA compliance improves patient trust

Patient harm

The consequences of insecure PHI storage can also be personal and even life-threatening.

For instance 2019 analysis by Choi and Johnson titled Do Hospital Data Breaches Reduce Patient Care Quality? found that hospitals suffering data breaches experienced a 0.34 percentage point increase in 30‑day mortality for acute myocardial infarction (heart attack) patients during the first year after the breach, rising to 0.45 percentage points in the second year. This increase essentially wiped out a year’s progress in improving heart attack survival rate. This academic evidence confirms that insecure PHI practices are not just compliance failures, they can have grave, real-world consequences for patient health.

Operational disruption

A breach or data loss incident often forces healthcare organizations to shut down key systems to assess and mitigate the damage. In extreme cases, this can result in full operational paralysis.

A 2024 peer-reviewed analysis in Frontiers in Digital Health, When all computers shut down: the clinical impact of a major cyber-attack on a general hospital, described how the Hillel Yaffe Medical Center in Israel was hit by the “DeepBlueMagic” ransomware in October 2021, which completely locked out the hospital’s computer systems, including EMRs, lab and imaging services, scheduling, and staff communications, for at least eight weeks. As a result of this breach: 

• All computer systems were inaccessible, leaving staff unaware of patient schedules, test results, or current inpatients.
• Clinical workflows were severely disrupted, with staff unable to communicate digitally or access vital patient data.
• The hospital effectively lost its digital backbone: EMRs, lab/radiology systems, and internal communications were all offline, leading to significant patient care disruption.

The study demonstrates that such outages are not merely inconvenient, they create organizational gridlock, forcing clinicians to revert to paper and manual processes in the absence of digital backups or rapid failover systems.

The HIPAA Security Rule storage requirements

The HIPAA Security Rule focuses on the safeguarding of electronic PHI (ePHI). It mandates administrative, physical, and technical safeguards:

Administrative safeguards

Compromising over 50% of HIPAA’s Security Rule requirements is the administrative safeguards which are the “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” Under this safeguard, HIPAA-covered entities are required to:

• Implement policies for workforce training and risk management.
• Conduct regular risk assessments to identify vulnerabilities in data storage.
• Create contingency plans for data backup, disaster recovery, and emergency operations.

Go deeper: A deep dive into HIPAA's administrative safeguards

Physical safeguards

The HIPAA Security Rule physical safeguards are the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” 

Restrict access to facilities and physical storage areas. These safeguards are “another line of defense (adding to the Security Rule’s administrative and technical safeguards) for protecting EPHI” and require healthcare organizations to:

• Use security systems (e.g., badge readers or security personnel) to protect servers and paper records.
• Dispose of physical records securely when no longer needed.

Go deeper: A deep dive into HIPAA's physical safeguards

Technical safeguards

Under HIPAA’s Security Rule, the technical safeguards are defined as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” These safeguards “are becoming increasingly more important due to technology advancements in the health care industry. As technology improves, new security challenges emerge. Healthcare organizations are faced with the challenge of protecting electronic protected health information (EPHI), such as electronic health records, from various internal and external

risks. To reduce risks to EPHI, covered entities must implement technical safeguards.” 

Under this safeguard, organizations must:

• Implement access controls such as unique user IDs and automatic logoffs.
• Use encryption and decryption methods for stored and transmitted data.

Maintain audit trails to monitor access and activity on systems storing PHI.

Go deeper: A deep dive into HIPAA's technical safeguards

Cloud storage and PHI

Many healthcare organizations now use cloud services to store PHI. While convenient and scalable, cloud storage introduces unique risks. To support healthcare organizations and their business associates, the HHS released a Guidance on HIPAA & Cloud Computing which states that: 

• A business associate agreement (BAA) is required
  • Cloud Service Providers (CSPs) that handle ePHI must sign a BAA.
  • Applies even if data is encrypted and the CSP lacks decryption keys.
• Risk analysis and risk management is required
  • Covered entities and CSPs must conduct a full risk assessment.
  • Implement safeguards based on assessed risks.
• Service Level Agreements (SLAs) must align with HIPAA
  • Include uptime, backups, breach response, and data return terms.
  • Ensure security responsibilities are clearly defined.
• Cloud Service Providers (CSPs) are directly liable
  • Responsible for HIPAA compliance independently of contracts.
  • Must follow Security Rule and breach notification requirements.
• International data storage increases risk
  • Consider legal, privacy, and cybersecurity risks of storing ePHI abroad.
  • Address foreign storage risks in BAA and security plans.

Learn more: How cloud storage location affects HIPAA compliance

Mobile devices and remote work

Remote work and mobile health apps add another layer of complexity. To store PHI on mobile or remote systems, HIPAA requires that organizations must:

• Develop and implement policies and procedures for mobile devices that store or access ePHI.
• Use controls like password protection, strong encryption, and automatic locking or logoff to secure devices.
• Install and regularly update anti-malware software on all portable devices.
• Maintain an inventory and tracking system for devices that hold ePHI.
• Establish secure backup processes, ensure ePHI is encrypted in backups, and manage secure disposal of mobile media.
• Ensure secure transmission over networks, avoiding unsecured public Wi‑Fi when sending ePHI.

Best practices

Encrypt PHI at rest and in transit

• Use encryption on all storage media (e.g., hard drives, cloud, USBs)
• Encrypt PHI during transmission (emails, lab or insurer communications)

Implement role-based access controls

• Grant access based on job roles
• Use multi-factor authentication to secure systems

Secure physical storage

• Lock paper files and devices in secure locations
• Use cameras, access controls, and safes for sensitive materials

Automate and monitor access logs

• Log who accessed PHI, when, and what they did
• Automate alerts for suspicious activity and review logs regularly

Perform regular risk assessments

• Identify vulnerabilities in storage, networks, and employee practices
• Reassess after system changes; document and address all risks

Train employees on PHI storage

• Educate staff on secure handling, password safety, and incident reporting
• Provide training annually and after policy changes

Back up PHI securely

• Schedule regular encrypted backups to off-site or cloud storage
• Test backups regularly and avoid storing them with original data

Properly dispose of PHI

• Shred paper records; wipe or destroy hard drives
• Use HIPAA compliant disposal vendors and retain disposal logs

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

How long must PHI be retained?

HIPAA requires PHI to be retained for six years, though state laws may mandate longer periods.

Who is responsible for PHI stored by a vendor?

The covered entity is ultimately responsible. Ensure proper safeguards and a BAA are in place.