Why PHI Protection Cannot Be Left to Chance
Protected health information is one of the most targeted data types in existence. Healthcare organizations face relentless pressure from ransomware groups, insider threats, and opportunistic attackers who know that PHI commands a premium on criminal markets. OCR enforcement continues to escalate, and the financial penalties for inadequate PHI protection are no longer theoretical — they are operational liabilities that can permanently damage an organization's financial standing and reputation.
The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic PHI. But the regulation intentionally leaves implementation details flexible, which creates a gap between what organizations think they have in place and what OCR expects to find during an audit.
This checklist identifies 14 controls that should be operational in every healthcare organization. If you cannot point to documented evidence of each one, your PHI protection posture has meaningful gaps. For organizations working through healthcare compliance programs or preparing for an OCR audit, this list serves as a practical starting point.
The 14 PHI Protection Controls
1. Completed and Current Security Risk Analysis
A documented security risk analysis is the foundational requirement of the HIPAA Security Rule and the most frequently cited deficiency in OCR enforcement actions. The analysis must identify where ePHI exists across your systems, evaluate threats and vulnerabilities, assess existing controls, and determine the probability and impact of potential breaches. This is not a one-time document — it must be reviewed and updated when operational or environmental changes occur.
2. Risk Management Plan with Documented Remediation
The risk analysis tells you what the risks are. The risk management plan tells you what you are doing about them. OCR expects to see a written plan that prioritizes identified risks and tracks remediation with timelines, owners, and status. A gap list with no action plan attached is not sufficient.
3. Workforce Access Controls Tied to Minimum Necessary Principle
Every workforce member should have access only to the PHI they need to perform their job functions. This means role-based access controls are configured in your EHR, billing systems, and any other platforms that store or process ePHI. Access provisioning and deprovisioning procedures should be documented, and access reviews should occur on a defined schedule — typically annually at minimum.
4. Automatic Logoff and Session Timeout Controls
Workstations and application sessions that access ePHI must be configured to automatically terminate or lock after a period of inactivity. This is a technical safeguard requirement under the HIPAA Security Rule and one that is frequently configured incorrectly or disabled by users without formal exception management.
5. Encryption of ePHI at Rest and in Transit
While HIPAA technically classifies encryption as an addressable specification rather than required, OCR has made clear through enforcement actions and guidance that organizations failing to implement encryption must document an equivalent alternative measure — a standard that is extremely difficult to meet in practice. In 2026, encryption at rest and in transit for all ePHI should be treated as required. This includes data stored in cloud environments, on laptops, on mobile devices, and transmitted via email or messaging platforms. Our team at Cleared Systems regularly helps healthcare clients navigate PHI protection across cloud, mobile, and remote work environments where encryption gaps are most common.
6. Audit Controls and Activity Logging
Your systems must log access to ePHI — who accessed what, when, and from where. Audit logs must be retained, reviewed on a scheduled basis, and protected from unauthorized modification. Many organizations collect logs but never review them, which satisfies the letter of the technical safeguard requirement but defeats its purpose entirely.
7. Integrity Controls for ePHI
HIPAA requires that ePHI not be improperly altered or destroyed. Integrity controls include hashing, checksums, version control, and file integrity monitoring tools that detect unauthorized modification. This control is particularly important for organizations managing clinical records where data accuracy directly affects patient safety.
8. Documented Sanctions Policy and Enforcement Record
You must have a written policy that defines consequences for workforce members who violate PHI protection policies. That policy must be applied consistently. OCR looks for evidence that sanctions were actually enforced, not just that a policy exists on paper. This includes contractors and business associates whose staff have access to your systems.
9. HIPAA-Compliant Business Associate Agreements
Every vendor, contractor, or service provider that creates, receives, maintains, or transmits ePHI on your behalf must have a current, executed Business Associate Agreement. BAA management has become a top OCR enforcement priority. Organizations frequently discover expired BAAs, BAAs with missing required provisions, or vendors performing PHI-related functions with no BAA in place. A thorough vendor inventory with corresponding BAA documentation is essential to a defensible PHI protection program.
10. Security Awareness Training Program
Workforce training is a required administrative safeguard under HIPAA. Annual training is the baseline, but OCR expects training content to be relevant and updated to address current threats — particularly phishing, social engineering, and ransomware. Training must be documented, including completion records for all workforce members. Annual HIPAA training alone is no longer sufficient given the frequency and sophistication of attacks targeting healthcare staff.
11. Contingency Plan with Tested Backup and Recovery Procedures
Your contingency plan must address data backup, disaster recovery, emergency mode operations, and testing and revision procedures. Many healthcare organizations have backup solutions in place but have never tested restoration. OCR expects documented evidence that backup and recovery procedures work. This is especially critical given the rise of ransomware attacks that specifically target and encrypt backup repositories.
12. Physical Safeguards for Facilities and Workstations
Physical access to areas where ePHI is accessed or stored must be controlled. This includes server rooms, workstation placement policies to prevent unauthorized viewing of PHI, device and media controls for hardware containing ePHI, and procedures for the secure disposal of devices. Physical safeguards are often underdocumented compared to technical controls, but they receive scrutiny during OCR compliance reviews.
13. Incident Response Plan with Breach Notification Procedures
HIPAA's Breach Notification Rule requires covered entities to notify affected individuals within 60 days of discovering a breach, notify HHS, and in some cases notify prominent media outlets. Your incident response plan must define what constitutes a breach under HIPAA, establish the four-factor risk assessment for determining whether notification is required, assign notification responsibilities, and include documented timelines. Organizations that confuse a general cybersecurity incident response plan with a HIPAA-compliant breach response plan frequently discover the gap at the worst possible moment.
14. HIPAA Compliance Documentation Package
HIPAA requires covered entities to maintain written documentation of their policies and procedures and retain that documentation for six years. This includes all of the above — risk analyses, risk management plans, access control policies, training records, audit logs, BAAs, sanctions policies, contingency plans, and incident response documentation. Organizations that operate without a structured documentation program cannot demonstrate compliance even when the underlying controls exist. Our HIPAA Compliance Documentation Toolkit provides ready-to-customize templates for every required policy and procedure, and the HIPAA Privacy and Security Compliance course for healthcare administrators gives compliance teams the knowledge foundation to maintain these controls effectively.
Common Gaps We See in Practice
When we conduct assessments of healthcare organizations, the most frequently identified PHI protection deficiencies cluster around a few predictable areas:
- Incomplete or outdated risk analyses that have not been updated after system migrations, acquisitions, or changes to ePHI workflows
- Undocumented access reviews where role-based access exists in theory but has never been formally audited
- Missing or expired BAAs, particularly with cloud service providers, IT support vendors, and billing services
- Untested contingency plans where backups are assumed to work but restoration has never been validated
- Training gaps for contractors, temporary staff, and remote workers who access ePHI but are excluded from formal training programs
Each of these gaps represents real enforcement exposure. OCR's resolution agreements consistently involve deficiencies in these exact areas. A structured compliance program development engagement addresses these systematically rather than reactively.
A Note on Addressable vs. Required Specifications
Healthcare compliance managers sometimes interpret HIPAA's addressable specifications as optional. They are not. Addressable means that if you do not implement the specification, you must document why the specification is not reasonable and appropriate and implement an equivalent alternative measure. In practice, alternatives are difficult to justify for most addressable specifications, including encryption, automatic logoff, and audit controls. Treat them as required unless your legal and compliance counsel have documented a defensible rationale for an alternative approach.
Organizations managing complex risk environments across multiple locations or business units benefit from an independent assessment. Our Federal and SLED risk assessment services apply structured methodologies to identify gaps before OCR does, and our Regulatory vCISO services provide the sustained compliance leadership that keeps PHI protection programs current as regulations and threats evolve.
Take the Next Step
PHI protection is not a project with a completion date — it is an ongoing program that requires documented controls, regular review, and leadership commitment. If your organization cannot point to current, tested documentation for each of the 14 controls in this checklist, the gap between your current posture and your compliance obligation is measurable and addressable. Contact the team at Cleared Systems to schedule a HIPAA compliance assessment or discuss how our services can help you build a defensible PHI protection program. Request a quote today and let us help you close the gaps before they become enforcement actions.