Protecting patient health information in the workplace involves employees following practical measures so that a covered entity is compliant. Below are ten HIPAA compliant tips for protecting patient protected health information (PHI) in the healthcare workplace.

  1. Take steps to minimize the risk of unauthorized access by implementing access controls 
  2. Provide training on PHI handling, for employees who perform healthcare administrative functions 
  3. Be mindful of when patient written authorization is required 
  4. Back up your data
  5. Implement firewalls
  6. Take steps to secure “paper PHI,” by stowing it (i.e., by placing it in a drawer or folder when it is not being used)
  7. Never leave paper PHI unattended
  8. Encrypt mobile devices
  9. Ensure passwords are not shared between co-workers
  10. Keep antivirus and antimalware software up-to-date
Protecting PHI

How Do I Protect Patient Health Information in the Workplace?

Tip #1 for protecting patient health information in the workplace: Access controls ensure patient protected health information is only accessed by those employees performing HIPAA-covered transactions.


Tip #2 for protecting patient health information in the workplace: Both the HIPAA Privacy Rule and the HIPAA Security Rule have training requirements. The HIPAA Privacy Rule training requirement is at 45 CFR § 164.530(b)(1). A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information. Training must be provided to each new workforce member within a reasonable period of time after the person joins the workforce. Workforce members must also be trained if their functions are affected by a material change in the covered entities’ Privacy Rule policies and procedures.

The HIPAA Security Rule training requirement is an administrative safeguard at 45 CFR § 164.308(a)(5). The Security Rule requires covered entities to implement a security awareness and training program for all workforce members. 

Tip #3: Written authorization from a patient is required when a covered entity seeks to use or disclose psychotherapy notes, substance abuse disorder records, and treatment records, for marketing purposes.

Tip #4: HIPAA imposes certain data backup requirements. Data should be backed up periodically. In addition, it is a good idea to back up data periodically through hardware, such as flash drives and external hard drives, and then copy data through the cloud as it is being modified. This redundancy ensures critical information will be readily available. If feasible, covered entities should have backups in multiple locations.

Tip #5: Firewalls are essential in ensuring electronic protected health information is not improperly destroyed. Proper firewall use can help to ensure that a covered entity’s network does not fall victim to unauthorized access that might compromise the confidentiality, integrity, or availability of ePHI.

Tip #6: Protected health information recorded in paper form must be secured. Employees should immediately report all incidents that may involve the loss or theft of such paper records. Medical records and PHI must be located and used so as to minimize incidental disclosure of PHI

Tip #7: “Paper PHI” should never be left unattended. Extra care must be taken when patient charts are temporarily transported to a patient’s home. These charts should be secured while en route and temporarily stored at the workforce member’s home. 

Tip #8: Encrypting mobile devices protects against hackers obtaining access to these devices. Mobile devices should also be password-protected, and should only access a specific Wifi (WP2). 

Tip #9: Employees should never share passwords. In addition, default passwords should be changed immediately after being assigned a new application. Passwords should not be reused between different systems. In addition, passwords should be changed if they become compromised.

Tip #10: Keeping antivirus and antimalware software current is of vital importance. Software updates and patches should be timely applied to keep networks secure when protecting patient privacy.