Protecting PHI involves implementing administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of individuals' health information. This includes measures like secure access controls, encryption, employee training, regular risk assessments, and compliance with regulations such as HIPAA to prevent unauthorized access, use, or disclosure of sensitive health data.
Before implementing protections, organizations must first understand what constitutes PHI.
Protected health information (PHI) is any health-related data that can be used to identify an individual and is created, used, or disclosed in the course of providing healthcare services. Under the Health Insurance Portability and Accountability Act (HIPAA) in the United States, PHI includes 18 types of identifiers combined with health information. These identifiers include:
PHI can exist in any form: paper, electronic, or spoken. When PHI is stored or transmitted electronically, it's called ePHI (electronic PHI).
Go deeper: What are the 18 PHI identifiers?
Access control is a foundational security measure. Not every employee should have access to all PHI. “Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files. Access controls should enable authorized users to access the minimum necessary information needed to perform job functions. Rights and/or privileges should be granted to authorized users based on a
set of access rules that the covered entity is required to implement as part of § 164.308(a)(4), the Information Access Management standard under the Administrative Safeguards
section of the Rule,” writes the HHS.
Best practices include:
In December 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) released a Notice of Proposed Rulemaking (NPRM) to introduce changes in the HIPAA Security Rule. Under the updated Rule, organizations are now required to implement data encryption.
Data encryption helps prevent unauthorized access, especially for ePHI stored or transmitted electronically.
Steps to take:
Encryption ensures that even if data is intercepted or stolen, it remains unreadable to unauthorized users.
To account for physical forms of PHI, the HIPAA Security Rule includes physical safeguards designed to protect electronic systems, equipment, and the data they contain from unauthorized physical access, tampering, and theft. Under the HHS, the physical safeguards are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
Recommendations:
According to the Ponemone Institute, human error causes 78% of data breaches. “While technologies are important in data protection, so is it critical for organizations to reduce the risk of employee negligence or maliciousness through policies, training, monitoring and enforcement,” writes Ponemone.
Training topics to cover:
Training should be conducted annually at a minimum, with additional sessions when new policies or technologies are introduced.
Go deeper: What does HIPAA training look like in 2025
The administrative safeguards of the HIPAA Security Rule requires regulated entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
A HIPAA risk assessment helps identify vulnerabilities in how PHI is handled, stored, and transmitted. It also helps determine the probability of occurrence and magnitude of risks.
Learn more: How to perform a risk assessment
The HIPAA Security Rule under § 164.316 requires HIPAA-regulated entities “implement reasonable and appropriate policies and procedures to comply with the standards.” These written policies and procedures ensure consistent practices across an organization. They also demonstrate HIPAA compliance during audits.
Examples include:
Ensure that all employees read, understand, and sign these policies, and update them regularly.
Read more: How to develop HIPAA compliance policies and procedures
The increase in remote work and mobile healthcare apps, mobile devices pose a unique security challenge.
Tips to secure mobile access:
Read also: HIPAA and mobile devices
Data loss due to hardware failure, natural disasters, or cyberattacks can compromise PHI and interrupt patient care. To mitigate this, HIPAA’s administrative safeguards require organizations to “establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.”
Best practices:
Read also: How to develop a backup and recovery plan
“The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. The business associate contract [agreement] also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate,” writes the HHS.
Vendor management best practices include:
Monitoring helps detect breaches and vulnerabilities before they escalate.
Strategies include:
Early detection is key to preventing widespread data loss and ensuring compliance.
Despite best efforts, breaches can still occur. A clear response plan minimizes damage and ensures compliance with reporting regulations.
Steps to include:
Having a response plan in place shows regulators and patients that your organization takes privacy seriously.
Covered entities and their business associates are responsible for protecting PHI under HIPAA regulations.
HIPAA requires three categories of safeguards: