In 2023, OCR settled with a dental practice in New England for $50,000 after an investigation revealed that staff members were routinely sharing patient protected information through unencrypted personal email accounts. The practice had no written policies, no workforce training program, and no risk analysis on file. It was a small organization — fewer than ten employees — but OCR treated the violations the same way it treats lapses at major health systems. Size does not exempt you from HIPAA.
What Qualifies as Patient Protected Information Under HIPAA
The term "patient protected information" is commonly used in healthcare settings, but HIPAA's formal term is protected health information (PHI). Under 45 CFR §160.103, PHI includes any individually identifiable health information held or transmitted by a covered entity or its business associates. This covers data in any form — electronic, paper, or oral.
PHI includes 18 specific identifiers established by the Privacy Rule: names, dates of birth, Social Security numbers, medical record numbers, health plan beneficiary numbers, device identifiers, biometric data, and more. If health data can be linked to a specific individual, it qualifies as patient protected information and falls under HIPAA's full regulatory framework.
Healthcare organizations consistently struggle with recognizing PHI in less obvious contexts. A photograph taken in a clinical area, a voicemail containing test results, or even a scheduling spreadsheet stored on a shared drive — all of these can contain patient protected information that triggers HIPAA obligations.
The Privacy Rule Obligations Your Workforce Must Follow
The HIPAA Privacy Rule (45 CFR Part 164, Subpart E) establishes national standards for how covered entities and business associates use and disclose PHI. At its core, the rule requires that your organization limit access to patient protected information to only what is necessary for a given purpose — a concept known as the minimum necessary standard.
Your organization must also provide every patient with a Notice of Privacy Practices that explains how their PHI may be used, their rights under HIPAA, and how to file a complaint. This isn't optional or situational — it's a mandatory requirement for every covered entity under 45 CFR §164.520.
Patients have the right to request access to their records, ask for amendments, and receive an accounting of disclosures. OCR has made clear through multiple enforcement actions that delays or denials of patient access requests are among the most common — and most penalized — HIPAA violations. Since 2019, OCR's Right of Access Initiative alone has resulted in over 45 enforcement actions and millions in combined penalties.
Security Safeguards That Protect PHI From Breach
The HIPAA Security Rule (45 CFR Part 164, Subpart C) applies specifically to electronic protected health information (ePHI) and requires three categories of safeguards: administrative, physical, and technical. Together, these safeguards form the backbone of your organization's defense against unauthorized access to patient protected information.
Administrative safeguards include conducting a thorough risk analysis, assigning a security officer, and implementing workforce training programs. Physical safeguards cover facility access controls, workstation security, and device disposal. Technical safeguards address access controls, audit logging, encryption, and transmission security.
OCR enforcement data reveals that the most frequently cited deficiency in breach investigations is the failure to perform an adequate risk analysis. If your organization hasn't conducted or updated a risk analysis recently, you are operating with a compliance gap that regulators will identify.
Breach Notification: What Happens When Patient Protected Information Is Exposed
Under the Breach Notification Rule (45 CFR §§164.400–414), covered entities must notify affected individuals, the Secretary of HHS, and in some cases the media when unsecured PHI is compromised. For breaches affecting 500 or more individuals, notification to HHS must occur within 60 days and the incident is posted publicly on OCR's Breach Portal.
In my work with covered entities, I've seen organizations underestimate the reputational and financial impact of a breach. The average cost per breached healthcare record exceeded $400 in recent years according to IBM's annual data breach reports. Beyond the dollar figure, the loss of patient trust can take years to rebuild.
A strong incident response plan, combined with encryption and access controls, dramatically reduces both the likelihood and the regulatory consequences of a PHI exposure.
The Workforce Training Requirement Most Organizations Underestimate
Under 45 CFR §164.530(b), every covered entity must train all workforce members on HIPAA policies and procedures. This includes employees, volunteers, trainees, and any person whose conduct is under the organization's direct control — whether or not they are paid. Training must occur at onboarding and be reinforced periodically.
Yet many organizations treat HIPAA training as a one-time checkbox. OCR investigations routinely reveal outdated training materials, no documentation of completion, and entire departments that were never trained at all. Each of these gaps creates liability.
Investing in a structured HIPAA training and certification program ensures your workforce understands how to handle patient protected information correctly — from intake to disposal. Documented, role-based training is one of the strongest defenses you can present during an OCR audit or breach investigation.
Business Associate Accountability Under the Omnibus Rule
The 2013 Omnibus Rule extended direct HIPAA liability to business associates — any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. This includes EHR vendors, billing companies, cloud storage providers, shredding services, and IT contractors.
Your organization must have a signed Business Associate Agreement (BAA) with every qualifying vendor before sharing any patient protected information. Without a BAA, the disclosure itself constitutes a HIPAA violation — regardless of whether a breach actually occurs.
Regularly auditing your business associate relationships and ensuring current BAAs are in place is a compliance essential that many organizations neglect until it's too late.
Build a Culture That Protects Patient Information at Every Level
Protecting patient protected information is not a single policy or a one-time project. It requires ongoing risk analysis, up-to-date documentation, enforceable policies, and a workforce that understands both the rules and the consequences of noncompliance.
OCR's enforcement priorities continue to focus on right of access failures, risk analysis deficiencies, and insufficient workforce training. These are the areas where your organization should concentrate its compliance resources now.
Start by evaluating where your organization stands today. A comprehensive workforce HIPAA compliance program can close training gaps, establish documentation trails, and reduce your risk of a costly violation. The regulatory landscape isn't getting simpler — but your compliance program can be.