← All posts

Reducing PHI exposure in healthcare consulting engagements

Rachel Okonkwo · 2025-03-08

Healthcare consulting engagements frequently touch protected health information. Most consulting firms aren't covered entities — they're business associates, and the risk profile is different from a hospital's.

What HIPAA actually requires of you

As a business associate, you must:

• Execute a Business Associate Agreement (BAA) with every covered entity client before touching PHI
• Implement administrative, physical, and technical safeguards per the Security Rule
• Honor minimum necessary — collect and access only the PHI required for the engagement
• Notify the covered entity of breaches within 60 days (often contractually tightened to less)
• Engage your own subcontractors under BAAs that flow down the same obligations

The three most common PHI exposure patterns

In our reviews, these account for the majority of incidents:

1. Email forwarding. A consultant receives PHI in email and forwards it — often to a colleague, occasionally to the wrong recipient. The original message lives in the sent folder forever.
2. Unencrypted laptops. Consultants travel. Laptops get lost. If full-disk encryption isn't enforced via MDM, that lost laptop is a reportable breach.
3. Lingering deliverable PDFs. Engagement deliverables containing PHI live on file servers, OneDrive, and personal Dropbox accounts long after the engagement closes. Retention isn't enforced because nobody owns it.

A minimum-footprint workflow

The structural fix is to minimize the surface area on which PHI ever lives:

• Collect only what's needed. Use templated requests with conditional logic.
• Transit through a portal, not email. PHI never enters a consultant's inbox.
• Process in-place. Use ephemeral analysis environments that destroy data on engagement close.
• Auto-purge on engagement close. Define a default retention policy at engagement intake.
• Audit access continuously. If PHI hasn't been touched in 30 days, ask whether it's still needed.

What auditors look for

If you're audited (by OCR, by a covered entity, or by your own internal team), expect requests for:

• An inventory of all PHI by engagement, with a defensible reason for each
• Quarterly access reviews showing who has access to what, and why
• A breach response runbook with named owners and tested call trees
• Evidence of security awareness training for everyone with PHI access
• BAAs in place for every sub-processor, dated before any PHI flowed

PHI exposure scales linearly with how you handle it. The teams that have the fewest incidents aren't more careful — they've engineered fewer opportunities for incidents to happen.

Written by Rachel Okonkwo. Have feedback? Reach out at hello@verifypg.com.