Digital clinical records have replaced paper charts in most practices, and with that shift comes a fundamentally different security landscape. A locked file cabinet protected paper records from physical theft. Digital records face a broader threat surface: network attacks, device theft, unauthorized access, vendor breaches, and inadvertent disclosure. Clinicians who understand these risks and take practical protective steps can maintain the same level of confidentiality electronically that good record-keeping practices provided in paper form — and in many ways, stronger protection.
Device Security: The Foundation of Digital Confidentiality
Every device you use to access or create clinical records must be secured. Full-disk encryption ensures that if a device is stolen, the data on it cannot be read without the encryption key. On macOS, enable FileVault. On Windows, enable BitLocker. On mobile devices, ensure encryption is enabled (modern iOS and Android devices encrypt by default when a strong passcode is set).
Screen locks are non-negotiable. Set devices to lock automatically after no more than five minutes of inactivity. Use strong authentication: a six-digit minimum PIN, fingerprint, or face ID. Never use pattern locks on mobile devices — they are visually easy to observe. For your primary work computer, use a strong password of 12+ characters or a password manager-generated passphrase.
Biometric authentication adds a layer of convenience that makes security more likely to be maintained. When clinicians have to type a long password to access their EHR, they sometimes disable the screen lock — biometrics remove that friction while maintaining security.
Cloud Storage: What "Secure" Actually Requires for PHI
Cloud storage for PHI is permissible under HIPAA if the cloud provider meets specific requirements. The provider must sign a BAA with your practice. The data must be encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent). Access controls must ensure only authorized personnel can access records.
Consumer cloud storage — personal Google Drive, Dropbox free, or iCloud — does not meet HIPAA requirements unless you are using a HIPAA-specific tier with a signed BAA. Many popular cloud storage services offer HIPAA-compliant enterprise tiers, but the standard consumer product does not qualify. Using a standard consumer Dropbox account to store client notes is a HIPAA violation even if those notes are encrypted files — because Dropbox's standard service does not include a BAA.
Email, Messaging, and the PHI Transmission Problem
Unencrypted email is one of the most common sources of PHI disclosure violations. Standard email — Gmail, Outlook.com, most provider email — is not encrypted end-to-end. Messages in transit can be intercepted; messages sitting in inboxes are accessible to the email provider. Do not send PHI via standard email.
Encrypted email options include ProtonMail, Virtru (which works with Gmail), and some EHR-integrated secure messaging systems. If a client emails you sensitive information, respond through a secure channel and document that you communicated about using secure methods. For clinical coordination (sending notes to a prescriber, receiving a referral letter), use your EHR's secure messaging feature, a secure fax service, or an encrypted file transfer.
Text message via standard SMS is similarly not appropriate for PHI. If clients contact you via text about clinical matters, redirect them to a HIPAA-compliant client portal. Do not save clinical content from text messages into your records without first moving the communication to a secure channel.
Secure Client Portals
Modern EHR and practice management systems include client portals that handle secure communication, document sharing, and appointment management. These portals are encrypted, access-controlled, and designed for HIPAA compliance. Using a client portal for all client communications — intake documents, release forms, session summaries when appropriate, billing — removes the PHI transmission risk that comes from email and text.
When implementing a portal, document in your informed consent that clients should use the portal for clinical communication. Educate clients on how to access it and log in. For clients who are not technologically comfortable, maintain alternative secure methods (encrypted email with consent, phone, fax).
Shared Workspace and Shared Computer Risks
If you practice in a group setting with shared physical space or shared computers, additional risks apply. Never leave a clinical record open on a screen when you leave a workstation. Log out of your EHR between uses, even if you are stepping away briefly. If computers are shared, ensure each clinician has a separate login — never share EHR credentials, even in an emergency.
In shared office spaces, be cautious about printing clinical records. Printed PHI requires secure handling: transport it in a sealed folder, store it in a locked area, and shred it when no longer needed. Do not leave printed notes on a shared printer, at a reception desk, or anywhere accessible to unauthorized parties.
Mobile Device Risks
Clinicians increasingly use smartphones and tablets for clinical work: reviewing notes before sessions, using mobile EHR apps, communicating with clients through secure portals. Mobile devices are the most commonly lost and stolen category of electronic devices.
Beyond encryption and screen locks, use remote wipe capability on all clinical-use mobile devices. On iOS, this is enabled through Find My iPhone. On Android, use Find My Device. If a device is lost or stolen, you can remotely erase it before data is accessed. This capacity must be set up before the loss occurs — you cannot enable it after the fact.
Do not use public WiFi to access clinical records without a VPN. Public WiFi networks can be intercepted; a VPN encrypts your traffic before it leaves your device. Reputable paid VPN services (not free VPN services, which may sell your data) provide this protection.
Data Breach Response Obligations
Under HIPAA's Breach Notification Rule, if PHI is accessed, acquired, disclosed, or used without authorization, you may have a breach requiring notification. HIPAA requires notification to affected individuals within 60 days of discovery of the breach. Breaches affecting 500 or more individuals in a state must also be reported to the media. All breaches must be reported to the HHS Office for Civil Rights.
The HIPAA Breach Notification Rule includes a four-factor risk assessment for determining whether an incident constitutes a reportable breach. Factors include the nature of the PHI involved, who accessed it, whether access was actually acquired, and the extent to which the risk of harm has been mitigated. If you experience a potential breach — stolen device, hacked account, inadvertent disclosure — consult your compliance officer or a HIPAA attorney immediately.
Your Personal Digital Security Checklist
Review this checklist quarterly: Full-disk encryption enabled on all work devices. Strong, unique passwords for all clinical systems (use a password manager). Two-factor authentication enabled on email, EHR, and any system containing PHI. Screen lock set to five minutes or less on all devices. BAAs signed with all cloud storage, EHR, telehealth, and AI tool vendors. No PHI transmitted via unencrypted email or standard SMS. Mobile devices enrolled in remote wipe. Staff trained annually on digital confidentiality procedures. Incident response plan documented in case of a potential breach.
Digital confidentiality is not a one-time setup task — it requires ongoing attention as your tools, devices, and vendors change. Schedule a quarterly digital security review as part of your practice management routine.