Best Practices for Protecting Patient Health Information

» Articles » Medical Records Articles » Article

December 15, 2017

Technology is supposed to make life easier. This is largely why the transition from paper to electronic health records became a requirement in 2011. However, it's evident the integration of technology has posed new challenges in protecting patient health information (PHI), as required by the Health Insurance Portability and Accountability Act (HIPAA). 

According to Kathryn Wickenhauser 1, a regulatory compliance advisor with DataFile Technologies, technology has posed these two special challenges:

  • preventing HIPAA violations and breaches due to human error; and
  • protecting information from hackers.

In light of these challenges, we've shared the following best practices for covered entities looking to further protect PHI. Incorporating these practices can mean the difference between Health and Human Services (HHS) giving you a thumbs up or hitting you with a fraud or abuse determination after your next audit. 

Continue reading below

FREE Medical Records Training from Lorman

Lorman has over 37 years of professional training experience.
Join us for a special report and level up your Medical Records knowledge!

Basic Legal Regulation of Medical Records
Presented by Bryant C. Witt

Learn More

Create a Compliance Plan

If your institution has five or more clinicians, you will have at least one inadvertent disclosure of PHI every year. HHS's determination in that case will depend on whether you have a compliance plan in place.

All employees should be aware of the compliance plan, and be sure to follow it. Its contents can simply mirror HHS Security Guidelines2, or you can additionally include some of our suggestions below. Either way, if you don't already have a compliance plan in place, make one now. 

Have Employees Double Check the Fax Number 

One of the most common mistakes that leads to a HIPAA violation or breach involves miskeying a fax number. While this simply constitutes human error, you can prevent information from being sent to a wrong fax recipient by:

  • Notifying employees a miskeyed fax is one of the most common ways that HIPAA violations and breaches occur.
  • Posting a sign by the fax machine instructing employees to double check the fax number against the number on the patient authorization sheet before pressing 'Send'.
  • Making double checking the fax number officially part of the compliance plan.

Audit Uploaded Files

Another common mistake that leads to a HIPAA violation or breach involves misfiling information in patient files. For instance, in scanning and uploading information, someone can inadvertently upload it to the wrong patient file. Then, when fulfilling an information request, the whole file can get sent along, containing the wrong patient's information.

As suggested by Kathryn Wickenhauser, one way to prevent this situation is to audit the file for accuracy. While time will not permit auditing the whole file, employees can at least check the first and last page, as well as checking 20% of the file's contents randomly. 

Encrypting Information 

Covered entities have been strategizing ways to protect information against hackers, as they've increasingly been infiltrating systems to get PHI.3 What HHS determines are adequate enough measures going forward will depend on the size and resources of the institution. However, at the very least, information that is emailed or handed over to a patient in a USB drive or other similar device should be encrypted. Encryption prevents outside hackers from gaining access to that patient information, whether it be a hacker on your system or the patients'. 

Making a "Reasonable and Appropriate" Determination

HHS requires that your security measures be "reasonable and appropriate." (4) This rule takes into account that not all security measures are appropriate for every covered entity since they vary greatly in size, function, and resources. For instance, a solo practice is unlikely to have full-time IT staff to set up anti-hacking security measures as an insurance company would. However, that doesn't necessarily mean the solo practitioner shouldn't do anything, like install a $25 anti-virus software program. 

Thus, what you do, and don't do, should go through that reasonable and appropriate determination. That way, in the event of a HIPAA violation or breach, you can easily justify to HHS why you did not utilize certain resources.  

When There's a Breach, Revisit Your Compliance Plan

If a breach does occur, you'll need to revisit your compliance plan to determine whether there is anything else that you can reasonably do to prevent future breaches. The goal in mind is to always ensure a low probability that PHI will be compromised, or what the industry calls LowProCo.  

If you're interested in more information on HIPAA compliance, or want other information on best business practices, contact us at Lorman Education Services. 


(1) Shannon Geis, "Does your practice know what to do when protected information gets in the wrong hands?" MGMA. August 29, 2017. Available at

(2) HHS, "Guidance on Risk Analysis Requirements under the HIPAA Security Rule." Available at

(3) Total HIPAA Compliance, "How HIPAA Can Help Deter Hackers." August 2, 2016. Available at

(4) HHS, "HIPAA Basics for Providers: Security, Breach, and Notification Rules." Available at

The material appearing in this web site is for informational purposes only and is not legal advice. Transmission of this information is not intended to create, and receipt does not constitute, an attorney-client relationship. The information provided herein is intended only as general information which may or may not reflect the most current developments. Although these materials may be prepared by professionals, they should not be used as a substitute for professional services. If legal or other professional advice is required, the services of a professional should be sought.

The opinions or viewpoints expressed herein do not necessarily reflect those of Lorman Education Services. All materials and content were prepared by persons and/or entities other than Lorman Education Services, and said other persons and/or entities are solely responsible for their content.

Any links to other web sites are not intended to be referrals or endorsements of these sites. The links provided are maintained by the respective organizations, and they are solely responsible for the content of their own sites.