How to protect and secure protected health information (PHI)

Protecting PHI involves implementing administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of individuals' health information. This includes measures like secure access controls, encryption, employee training, regular risk assessments, and compliance with regulations such as HIPAA to prevent unauthorized access, use, or disclosure of sensitive health data.

What is PHI?

Before implementing protections, organizations must first understand what constitutes PHI.

Protected health information (PHI) is any health-related data that can be used to identify an individual and is created, used, or disclosed in the course of providing healthcare services. Under the Health Insurance Portability and Accountability Act (HIPAA) in the United States, PHI includes 18 types of identifiers combined with health information. These identifiers include:

• Names
• Addresses (including ZIP code)
• Dates (birth, discharge, death, etc.)
• Telephone and fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (fingerprints, voiceprints)
• Full-face photos and comparable images
• Any other unique identifying number, code, or characteristic

PHI can exist in any form: paper, electronic, or spoken. When PHI is stored or transmitted electronically, it's called ePHI (electronic PHI).

Go deeper: What are the 18 PHI identifiers?

Protecting PHI

Implement access controls

Access control is a foundational security measure. Not every employee should have access to all PHI. “Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files. Access controls should enable authorized users to access the minimum necessary information needed to perform job functions. Rights and/or privileges should be granted to authorized users based on a

set of access rules that the covered entity is required to implement as part of § 164.308(a)(4), the Information Access Management standard under the Administrative Safeguards

section of the Rule,” writes the HHS. 

Best practices include:

• Role-based access control (RBAC): Grant access based on job functions (e.g., billing staff vs. clinical staff).
• Least privilege principle: Users get only the access necessary to perform their tasks.
• User authentication: Require strong passwords, two-factor authentication (2FA), and regular updates.
• Audit trails: Monitor who accesses what data and when, to detect and respond to suspicious activity.

Use encryption and secure transmission

In December 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) released a Notice of Proposed Rulemaking (NPRM) to introduce changes in the HIPAA Security Rule. Under the updated Rule, organizations are now required to implement data encryption. 

Data encryption helps prevent unauthorized access, especially for ePHI stored or transmitted electronically.

Steps to take:

• Encrypt PHI at rest: Use encryption for databases, servers, cloud storage, and even backup files.
• Encrypt PHI in transit: Use secure protocols like TLS (Transport Layer Security) when sending data over networks or email.
• Email security: Use HIPAA compliant email services (e.g., Paubox) that offer automatic, seamless encryption by default.

Encryption ensures that even if data is intercepted or stolen, it remains unreadable to unauthorized users.

Secure physical environments

To account for physical forms of PHI, the HIPAA Security Rule includes physical safeguards designed to protect electronic systems, equipment, and the data they contain from unauthorized physical access, tampering, and theft. Under the HHS, the physical safeguards are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

Recommendations:

• Lockable storage: Secure paper records in locked cabinets.
• Surveillance: Use security cameras and controlled access to rooms where PHI is stored.
• Badge access: Limit entry to authorized personnel.
• Shred and dispose securely: Use secure shredding services for old documents and hard drives.

Provide regular HIPAA and security training

According to the Ponemone Institute, human error causes 78% of data breaches. “While technologies are important in data protection, so is it critical for organizations to reduce the risk of employee negligence or maliciousness through policies, training, monitoring and enforcement,” writes Ponemone.

Training topics to cover:

• HIPAA Privacy and Security Rules
• Identifying and reporting phishing emails
• Password management
• Device security (e.g., not leaving laptops unattended)
• Recognizing and reporting suspicious behavior

Training should be conducted annually at a minimum, with additional sessions when new policies or technologies are introduced.

Go deeper: What does HIPAA training look like in 2025

Perform regular risk assessments

The administrative safeguards of the HIPAA Security Rule requires regulated entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

A HIPAA risk assessment helps identify vulnerabilities in how PHI is handled, stored, and transmitted. It also helps determine the probability of occurrence and magnitude of risks.

Learn more: How to perform a risk assessment

Develop and enforce policies and procedures

The HIPAA Security Rule under § 164.316 requires HIPAA-regulated entities “implement reasonable and appropriate policies and procedures to comply with the standards.” These written policies and procedures ensure consistent practices across an organization. They also demonstrate HIPAA compliance during audits.

Examples include:

• PHI access and use policy
• Data retention and destruction policy
• Device usage policy (e.g., for mobile phones or remote work)
• Breach notification and response plan

Ensure that all employees read, understand, and sign these policies, and update them regularly.

Read more: How to develop HIPAA compliance policies and procedures

Protect mobile devices and remote access

The increase in remote work and mobile healthcare apps, mobile devices pose a unique security challenge.

Tips to secure mobile access:

• Use Mobile Device Management (MDM): Enforce security settings like screen lock, encryption, and remote wipe.
• Limit PHI on devices: Avoid storing PHI locally unless absolutely necessary.
• Secure Wi-Fi connections: Require VPNs or encrypted networks for remote access.
• Educate on BYOD policies: Ensure personal devices meet security requirements before accessing PHI.

Read also: HIPAA and mobile devices

Maintain secure backups and disaster recovery plans

Data loss due to hardware failure, natural disasters, or cyberattacks can compromise PHI and interrupt patient care. To mitigate this, HIPAA’s administrative safeguards require organizations to “establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.”

Best practices:

• Automated backups: Back up data frequently and verify backup integrity.
• Disaster recovery plan (DRP): Include procedures to restore PHI access quickly and securely in emergencies.

Read also: How to develop a backup and recovery plan

Manage third-party vendors carefully

“The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information.  The business associate contract [agreement] also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate,” writes the HHS. 

Vendor management best practices include:

• Sign business associate agreements (BAAs): A legal requirement under HIPAA.
• Vet vendors thoroughly: Ask about their security practices and history of breaches.
• Monitor and audit: Ensure vendors maintain security through periodic reviews and audits.
• Limit data sharing: Only share the minimum PHI necessary for the vendor to perform their function.

Monitor systems continuously

Monitoring helps detect breaches and vulnerabilities before they escalate.

Strategies include:

• Intrusion detection systems (IDS): Monitor for suspicious activity.
• Log analysis: Review access and error logs regularly.
• Security information and event management (SIEM): Use automated tools for real-time alerts and threat detection.
• Patch management: Apply software updates and security patches promptly.

Early detection is key to preventing widespread data loss and ensuring compliance.

Plan for breach response and reporting

Despite best efforts, breaches can still occur. A clear response plan minimizes damage and ensures compliance with reporting regulations.

Steps to include:

• Immediate containment: Stop the breach from spreading.
• Assessment: Determine what PHI was accessed or lost.
• Notification: Notify affected individuals within 60 days, as required by HIPAA.
• Report to HHS: Submit a breach report to the U.S. Department of Health and Human Services if necessary.
• Post-incident review: Identify what went wrong and update policies to prevent recurrence.

Having a response plan in place shows regulators and patients that your organization takes privacy seriously.

FAQS

Who is responsible for protecting PHI?

Covered entities and their business associates are responsible for protecting PHI under HIPAA regulations.

What are the main types of safeguards required by HIPAA to safeguard PHI?

HIPAA requires three categories of safeguards:

• Administrative safeguards 
• Physical safeguards 
• Technical safeguards