How to Protect PHI: A Practical Guide for Covered Entities

In February 2024, OCR announced a $4.75 million settlement with Montefiore Medical Center after a former employee stole the protected health information of over 12,000 patients — activity that went undetected for six months. The root cause wasn't a sophisticated cyberattack. It was a failure of basic safeguards: no audit controls, no access monitoring, no workforce accountability. If your organization hasn't recently evaluated how to protect PHI across every access point, this case should be your wake-up call.

How to Protect PHI Starts with Understanding What Counts

Protected health information includes any individually identifiable health data your covered entity or business associate creates, receives, maintains, or transmits. That includes obvious records like medical charts and billing statements, but also appointment schedules, verbal conversations, IP addresses tied to patient portal logins, and even photographs taken in clinical settings.

PHI exists in three states: at rest (stored on servers, in filing cabinets), in transit (emailed, faxed, transmitted electronically), and in use (displayed on a screen, discussed in a hallway). Every safeguard strategy must account for all three. Organizations that focus solely on electronic systems leave paper records and verbal disclosures completely unprotected.

Conduct a Risk Analysis Before You Do Anything Else

The HIPAA Security Rule at 45 CFR § 164.308(a)(1) requires every covered entity and business associate to perform a thorough risk analysis. This isn't optional, and it isn't a one-time checkbox. OCR has cited failure to conduct a comprehensive risk analysis in the majority of its enforcement settlements — it's the single most common deficiency.

Your risk analysis must identify every location where PHI is stored, received, maintained, or transmitted. It must assess the likelihood and impact of threats to that data. And it must be updated whenever your organization undergoes significant operational or technological changes — new EHR systems, cloud migrations, acquisitions, or remote work expansions.

Without this foundation, every other safeguard you implement is guesswork. You can't protect what you haven't inventoried.

Administrative Safeguards That Actually Reduce Risk

Administrative controls are the backbone of how to protect PHI in any healthcare organization. Under the Security Rule, these include designating a security official, implementing workforce training, and establishing access management policies.

Workforce training is required under 45 CFR § 164.530(b), yet it remains one of the most underestimated requirements. Every member of your workforce — employees, volunteers, trainees, and contractors under your direct control — must receive training on your HIPAA policies and procedures. This training must be documented and updated when material changes occur. A robust HIPAA training and certification program ensures your staff understands not just the rules, but how to apply them in daily operations.

The minimum necessary standard is another administrative safeguard that trips up organizations. Under the Privacy Rule, your workforce should access only the PHI needed to perform their job function. Role-based access controls, not blanket permissions, enforce this in practice.

Technical Safeguards Required by the Security Rule

Technical safeguards under 45 CFR § 164.312 address how your systems protect electronic PHI. These include:

• Access controls: Unique user IDs, emergency access procedures, automatic logoff, and encryption/decryption mechanisms.
• Audit controls: Hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI. The Montefiore case proved what happens when these are absent.
• Integrity controls: Mechanisms to confirm that ePHI hasn't been improperly altered or destroyed.
• Transmission security: Encryption for PHI sent over electronic networks. While encryption is listed as "addressable," OCR has made clear that organizations choosing not to encrypt must document an equivalent alternative — and few alternatives hold up under scrutiny.

Multi-factor authentication, while not explicitly named in the Security Rule, has become a de facto expectation in OCR enforcement guidance. If your clinicians are accessing patient records with just a password, your organization is behind.

Physical Safeguards You Cannot Overlook

Physical safeguards at 45 CFR § 164.310 require facility access controls, workstation use policies, and device and media controls. In practice, this means locked server rooms, screen positioning that prevents unauthorized viewing, and documented procedures for disposing of devices that stored PHI.

Healthcare organizations consistently struggle with mobile device management. Laptops, tablets, and smartphones that access ePHI must be encrypted, remotely wipeable, and inventoried. The loss of a single unencrypted laptop has triggered breach notifications affecting hundreds of thousands of individuals — and multimillion-dollar settlements.

Business Associate Agreements Are Non-Negotiable

Your organization's PHI protection is only as strong as your weakest business associate. Under the Omnibus Rule, every vendor that creates, receives, maintains, or transmits PHI on your behalf must sign a business associate agreement (BAA) that specifies their safeguard obligations.

Review your BAAs annually. Confirm that business associates are conducting their own risk analyses. OCR holds covered entities accountable when they fail to obtain or enforce these agreements — regardless of whether the business associate actually caused a breach.

Breach Notification: Your Safety Net When Safeguards Fail

Even with strong protections, breaches happen. The Breach Notification Rule at 45 CFR §§ 164.400-414 requires your organization to notify affected individuals within 60 days of discovering a breach. Breaches affecting 500 or more individuals must also be reported to OCR and prominent media outlets.

Your incident response plan should be documented, tested, and known to your workforce before a breach occurs. Delayed notification is itself a HIPAA violation — and one OCR penalizes aggressively.

Build a Culture of PHI Protection Across Your Workforce

Policies alone don't protect PHI. People do. In my work with covered entities, the organizations with the fewest incidents are those that treat HIPAA compliance as an operational discipline, not an annual training event.

That means regular reminders about phishing threats, clear reporting channels for suspected violations, and leadership that models compliant behavior. Investing in comprehensive workforce HIPAA compliance transforms your staff from a vulnerability into your strongest safeguard.

Your Notice of Privacy Practices tells patients how you protect their information. Make sure your actual practices match what that document promises. OCR investigations often begin by comparing your NPP commitments against your operational reality.

The Cost of Getting PHI Protection Wrong

OCR's enforcement record speaks for itself. Between 2003 and 2024, the agency has secured over $142 million in settlements and civil monetary penalties. The penalties range from $16,000 for unknowing violations to over $2 million per violation category per year for willful neglect.

But the real cost isn't just financial. Breaches erode patient trust, trigger state attorney general investigations, and generate class action lawsuits that dwarf OCR penalties. Learning how to protect PHI isn't just a regulatory exercise — it's an organizational survival strategy.

Start with your risk analysis. Train every member of your workforce. Enforce your technical and physical controls. And audit everything. That's not aspirational guidance — it's what the regulations require and what OCR expects to see when they come knocking.