← All posts

HIPAA and Unprotected PHI: Where Patient Data Hides on Your PCs

April 22, 2026 · admin@myvaultmate.com

HIPAA's Security Rule requires covered entities and business associates to know where electronic protected health information (ePHI) lives and to safeguard it. Yet for most small practices, the biggest gap isn't the EHR — it's the loose copies of patient data scattered across staff PCs.

Common PHI hiding spots

  • Scanned intake forms saved to a Desktop or Downloads folder and never deleted.
  • Billing spreadsheets with names, dates of birth, and insurance IDs.
  • Email attachments from referrals or labs, auto-synced to OneDrive.
  • Faxes-to-PDF dropped into a shared drive "temporarily."
  • Old backups on an external USB disk in a desk drawer.

Why this matters under HIPAA

The HHS Office for Civil Rights expects a documented, current risk analysis covering all ePHI — not just the systems you remember. Unaccounted-for PHI on an unencrypted laptop is exactly the scenario behind a large share of reported breaches and six-figure settlements.

A practical path to control

Start with discovery. Scan every endpoint for health-record patterns and direct identifiers, rank the findings by severity, and remediate the worst exposures first: delete what you don't need, move what you do into encrypted, access-controlled storage, and document the whole process. Repeat on a schedule so new copies don't quietly reaccumulate.

Discovery is the part teams skip because it feels impossible to do by hand. Automating it across the whole organization is what makes ongoing HIPAA compliance realistic for a small team.