PHI in transit consists of either paper documents or records, or portable media and devices. The physical safeguard provisions of the HIPAA Security Rule require covered entities to protect any portable media or devices, whether permanently stationed or in transit. The HIPAA Privacy Rule also requires covered entities to implement physical safeguards to protect all forms of PHI, including any paper records containing PHI, including HIPAA paper documents. Transporting PHI therefore implicates aspects of both the HIPAA Privacy Rule and the HIPAA Security Rule.

Transporting PHI HIPAA

Transporting PHI: Some Common Sense Rules

Transporting PHI – whether in the form of medical records, documents or portable media devices – involves applying some commonsense principles. 


Transporting “paper PHI” safely, consists of covered entities implementing the following Privacy Rule measures:

  • Use an envelope or accordion folder to prevent PHI from being exposed to public view or to view by individuals without authorization
  • Label, number, or log boxes, to prevent them from being misplaced
  • When transporting PHI on a cart, place the records in secure containers, and cover the records
  • If it is reasonable and appropriate to do so, implement environmental controls, which can include:
    • 24/7 monitoring,
    • Logged surveillance cameras, and 
    • multiple alarm systems


Is your organization protected against breaches? Download the free cybersecurity eBook to get tips on how to protect your patient information.

PHI stored on portable media and devices is often physically transported to and from facilities or locations. When transporting PHI stored on portable media and devices, covered entities should take the following Security Rule measures:

  • Never leave PHI, thumb drives, laptops or other portable electronic devices unattended, even temporarily, including in front of buildings or in hallways
  • Ensure employees who work from home keep portable electronic devices away from others in the home environment, so that the devices cannot be viewable to anyone other than the employee
  • Minimize exposure of PHI stored on portable media to public or vulnerable areas
  • Encrypt USB drives
  • Keep electronic hardware that stores or accesses ePHI such as servers in secure areas or locked rooms before and after transportation
  • Do not store portable media and devices containing PHI in a vehicle that is unattended. Even if the vehicle is locked while it is unattended, there is still a risk of theft. Try to avoid storage of PHI in vehicles altogether
  • Before data is transported, implement two-factor authentication for VPN access. Doing so will reduce the risk of unauthorized access