What should you be doing with Protected Health Information (PHI)?

By Mat Buttrey, Senior Product Manager & Strategic Lead – Healthcare, PaperCut
LinkedIn: Matthew Buttrey
LinkedIn: PaperCut Software

In today’s digital era, healthcare organizations handle vast amounts of Protected Health Information (PHI). But with more focus than ever on safeguarding patient data, one major compliance risk often flies under the radar: printing. While enormous resources are committed to securing electronic systems, a single document left on a printer tray can lead to data breaches, HIPAA violations, and hefty fines.

Despite the digital transformation of healthcare, paper isn’t going anywhere soon. In fact, the average 1,500-bed hospital in the US prints 8 million-plus pages a month, adding up to almost 100 million pages a year. For a large health system with multiple hospitals and outpatient facilities, this figure would be even higher.

The reality is, printing remains a significant burden on healthcare providers due to regulatory requirements, patient documentation, billing, and administrative workflows. So, at a time when data security and compliance risks are growing, hospitals, clinics, and healthcare networks must ensure that printing is no longer a weak link in their PHI strategy.

Understanding the challenge of printed PHI

PHI includes any identifiable data related to a patient’s medical condition, treatment, or payment for healthcare. This not only includes electronic health records (EHR) and electronic medical records (EMR) but also test results, prescriptions, dental records, personal details, and genetic information.

Under the Health Insurance Portability and Accountability Act (HIPAA) privacy rule, healthcare organizations are required to protect confidential patient health information—whether in digital or printed format. However, electronic records benefit from built-in security controls, whereas paper documents often lack proper safeguards. And while digital breaches usually involve sophisticated cyberattacks, print-related HIPAA violations often stem from a simple human error.

Healthcare environments are typically fast-paced, high-volume, and heavily reliant on shared printing resources. With thousands of pages being printed, faxed, and copied every day, the risk of a data breach increases. It’s easy for a staff member to hit ‘print’ but forget to collect their document, leaving pages unattended by a printer, on a desk, or in a common area—potentially exposing PHI to unauthorized staff or visitors.

Employees could also print PHI without proper authorization, either intentionally or accidentally, or they may print more PHI than necessary. Another common issue is printed documents being mistakenly sent to the wrong person or department, compromising patient confidentiality. And if documents are thrown in the trash rather than shredded, they may also be picked up by an unauthorized person.

Unlike digital records, printed documents don’t have an automatic audit trail, so if a page goes missing, there’s no way of knowing where it ends up—making it impossible to identify the source of a data leak.

Steps to secure PHI in a print-heavy environment

To ensure PHI is properly protected, healthcare providers should take a holistic approach to print security with these 10 essential steps:

1. Conduct a print assessment. Comprehensively assess your current print environment to identify challenges in safeguarding PHI and design an appropriate print management strategy.
2. Enforce PHI print policies. Set rules around what can be printed, by whom, and on which devices, including dedicated printers for documents that contain PHI.
3. Set up access controls. Use authentication methods like ID cards or PIN codes to ensure only authorized staff can access and print PHI.
4. Ensure secure passwords. Require staff to update their passwords regularly to prevent hackers from gaining access to print devices.
5. Create a print audit trail. Track who prints what, when, and where—monitoring for any unauthorized access or excessive printing of PHI.
6. Implement physical security measures. Make sure all filing cabinets are locked, and print rooms require swipe or PIN access.
7. Practice proper disposal. Make sure all documents containing PHI are securely disposed of, either by shredding or in a locked disposal station—never in an open bin.
8. Monitor your print environment. Regularly review print processes to detect security vulnerabilities and ensure compliance with HIPAA regulations.
9. Establish an incident response plan. Develop clear procedures for reporting, responding to and mitigating print-related PHI incidents, making sure all staff understand their roles.
10. Train employees. Provide training on secure handling of printed PHI, including clean desk policies, methods for collecting, storing and disposing of printed materials, and guidelines for reporting data breaches.

Leveraging print management solutions for PHI

A centralized print management solution is a powerful tool for enhancing patient data security, by consolidating all print workflows into a single, unified system. Advanced security features include:

• Secure print release. Documents are only released once users verify their identity at the printer, reducing the risk of PHI being left unattended on the printer tray.
• Find-me printing. Users can release print jobs at any printer (after authenticating), ensuring secure and convenient access to sensitive information.
• End-to-end data encryption. PHI is encrypted when transiting between the user’s computer and the printer, protecting patient data as the print job moves through the network.
• Mobile and cloud printing. With many healthcare professionals working from their smartphone or tablet, secure mobile and cloud printing are critical for safeguarding PHI.
• Document security controls. Additional measures like digital signatures and watermarking help protect patient information by ensuring the authenticity and confidentiality of documents.
• Secure fax integrations. Integrating cloud faxing with print management solutions enables secure transmission of PHI, while centralizing access to patient data such as EMR and EHR.
• Audit trails and reporting. Print management solutions continuously monitor activity across the entire print ecosystem, with comprehensive print logs recording all printing activities.

As healthcare delivery continues to evolve, PHI must be protected across all formats—not just online, but on paper too. By combining printing best practices with a centralized print management solution, healthcare providers can proactively secure their print environments to ensure data privacy, reducing compliance risks and ultimately building greater trust with patients.

Because in the end, PHI isn’t just about ticking a box or avoiding a fine, it’s about protecting people.