PHI Protection Requirements Under HIPAA: What Covered Entities and Business Associates Must Do

What PHI Protection Actually Requires in Practice

Protected health information is among the most regulated categories of data in the United States. If your organization creates, receives, maintains, or transmits PHI, the Health Insurance Portability and Accountability Act imposes specific, enforceable obligations that go far beyond basic data hygiene. The Office for Civil Rights does not grade on a curve, and recent enforcement trends confirm that both covered entities and their business associates are being held to increasingly rigorous standards.

This post cuts through the complexity and explains what PHI protection actually requires, who bears responsibility under HIPAA, and where organizations consistently fall short. If you serve the healthcare industry or contract with organizations that do, this is not optional reading.

Who Is Covered: Entities and Business Associates Defined

HIPAA's PHI protection requirements apply to two distinct categories of organizations. Understanding which category you fall into determines your specific obligations.

Covered Entities

A covered entity is any healthcare provider that transmits health information electronically, a health plan, or a healthcare clearinghouse. This includes hospitals, physician practices, dental offices, pharmacies, insurance carriers, and Medicare and Medicaid programs. If you bill electronically or exchange clinical data, you are almost certainly a covered entity.

Business Associates

A business associate is any vendor, contractor, or service provider that creates, receives, maintains, or transmits PHI on behalf of a covered entity. This includes billing companies, cloud hosting providers, EHR vendors, managed IT service providers, and consultants who access PHI in the course of their work. Business associates are directly liable under HIPAA, not just through contract flow-down. The 2013 Omnibus Rule made that explicit, and OCR enforcement has followed.

Business associates must also manage their own downstream vendors, called subcontractors, through executed Business Associate Agreements. The chain of accountability runs deep. Understanding what your vendors are actually required to do under HIPAA is an essential step most organizations underinvest in.

The Three Pillars of PHI Protection Under HIPAA

HIPAA organizes PHI protection requirements into three categories of safeguards. Each carries specific required and addressable implementation specifications.

Administrative Safeguards

Administrative safeguards are the policies, procedures, and management activities that govern how your organization protects PHI. They represent the foundation of your compliance program. Required elements include:

• Security Management Process: You must conduct a thorough, documented risk analysis and implement a risk management program to reduce identified vulnerabilities to a reasonable and appropriate level. This is the single most cited deficiency in OCR investigations.
• Assigned Security Responsibility: A designated security official must be identified and accountable for HIPAA security compliance across the organization.
• Workforce Training and Sanctions: All workforce members who access PHI must receive appropriate training, and your organization must enforce sanctions for violations.
• Contingency Planning: Data backup, disaster recovery, and emergency mode operation plans must be documented and tested.
• Evaluation: Periodic technical and non-technical evaluations of your security program are required, particularly when operational or environmental changes occur.

Physical Safeguards

Physical safeguards govern access to the physical locations and devices where PHI is stored or processed. Requirements include:

• Facility Access Controls: Policies must limit physical access to systems containing PHI to authorized individuals only. Visitor controls, escort procedures, and facility security plans are part of this requirement.
• Workstation Use and Security: Policies must define appropriate workstation use and implement physical safeguards such as privacy screens and positioning to prevent unauthorized viewing.
• Device and Media Controls: Procedures must govern the receipt, removal, movement, and disposal of hardware and electronic media containing PHI, including documented media sanitization and destruction.

Technical Safeguards

Technical safeguards address the technology and related policies that protect PHI and control access to it. Required and addressable specifications include:

• Access Controls: Unique user identification, emergency access procedures, automatic logoff, and encryption and decryption capabilities are required or addressable depending on your risk environment.
• Audit Controls: Hardware, software, and procedural mechanisms must record and examine activity in systems that contain or use PHI.
• Integrity Controls: Measures must ensure PHI is not improperly altered or destroyed, including electronic mechanisms to authenticate PHI where appropriate.
• Transmission Security: PHI transmitted over electronic communications networks must be protected against unauthorized interception. Encryption is addressable, but risk analysis often makes it effectively required in most environments.

Understanding how data loss prevention tools support these technical requirements is increasingly important as organizations move PHI into cloud and hybrid environments.

The HIPAA Privacy Rule: PHI Use and Disclosure Restrictions

The Security Rule governs electronic PHI. The Privacy Rule applies to all forms of PHI, including oral and paper records. Together they define the comprehensive framework for PHI protection.

Under the Privacy Rule, covered entities may only use or disclose PHI in specific circumstances: with valid patient authorization, for treatment, payment, and healthcare operations purposes, or under specific permitted disclosures defined in the regulation. Every other use or disclosure is prohibited without explicit patient authorization.

Required Privacy Rule implementations include:

• A Notice of Privacy Practices distributed to patients and posted prominently
• Documented policies covering minimum necessary use of PHI
• Patient rights processes for access, amendment, and restriction requests
• Accounting of disclosures records for non-routine disclosures
• A designated Privacy Official responsible for policy development and complaints

Reviewing the full breakdown of Privacy Rule requirements for covered entities is a practical starting point for organizations building or auditing their compliance programs.

Breach Notification: When PHI Protection Fails

Even with robust safeguards in place, breaches occur. HIPAA's Breach Notification Rule imposes strict requirements when unsecured PHI is impermissibly used or disclosed. The presumption under current rules is that any impermissible access is a reportable breach unless the covered entity can demonstrate a low probability that PHI was compromised through a documented four-factor risk assessment.

Notification timelines are fixed:

1. Affected individuals must be notified without unreasonable delay and no later than 60 days from discovery.
2. HHS must be notified. Breaches affecting 500 or more individuals in a state require simultaneous notification to prominent media outlets.
3. Business associates must notify covered entities of breaches without unreasonable delay and no later than 60 days from discovery by the business associate.

Failure to meet these timelines has resulted in multi-million dollar settlements. The importance of having a tested incident response plan cannot be overstated. Organizations that have not reviewed the breach response timeline requirements in detail are operating with unnecessary exposure.

Where Organizations Most Commonly Fall Short

After working with covered entities and business associates across the healthcare sector, the same gaps appear repeatedly:

• Inadequate or missing risk analysis: Many organizations perform a cursory review and call it complete. OCR expects a thorough, enterprise-wide analysis that identifies specific threats, vulnerabilities, and the likelihood and impact of each.
• Business Associate Agreement gaps: Outdated agreements, missing agreements with new vendors, or BAAs that do not reflect current regulatory requirements are among the most common findings.
• Untested contingency plans: Backup and recovery plans exist on paper but have not been tested under realistic conditions.
• Insufficient workforce training: Annual checkbox training does not constitute adequate workforce training under HIPAA. Role-specific training tied to actual job functions is the standard OCR expects.
• Encryption decisions not documented: When organizations choose not to encrypt, that decision must be documented with supporting rationale. Undocumented decisions create significant audit exposure.
• No monitoring of audit logs: Technical safeguards require audit controls, but many organizations collect logs without reviewing them for anomalies or unauthorized access patterns.

Our HIPAA Compliance Documentation Toolkit provides a structured starting point for organizations building or updating their documentation baseline.

Building a Sustainable PHI Protection Program

PHI protection is not a one-time project. It is a continuous management function. Organizations that treat HIPAA compliance as an annual exercise rather than an ongoing operational discipline consistently underperform when OCR comes knocking.

A sustainable program requires annual risk analysis updates, regular policy reviews, periodic workforce training, tested incident response procedures, and active oversight of business associates. For organizations that lack dedicated compliance or security leadership, Regulatory vCISO services can provide the structured oversight and executive accountability that compliance programs require without the cost of a full-time hire.

For organizations that need to build or rebuild their program from the ground up, our Compliance Program Development service provides the roadmap, documentation, and expert guidance to get there efficiently and durably.

Take the Next Step Toward Defensible PHI Protection

PHI protection failures are not just regulatory problems. They are operational and reputational ones. OCR enforcement is active, penalties are substantial, and the cost of remediation after a breach far exceeds the investment in prevention. If your organization needs an honest assessment of where your HIPAA compliance program stands, Cleared Systems is ready to help. Request a quote today and let our team identify the gaps before OCR does.