Skip to main content
Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026|Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026
Best Practices

Best Practices in Protecting PHI in the Cloud & Minimizing PHI Breaches

The recent HIPAA breach reports with CHS and Cedar Sinai are enough to keep healthcare CIOs and Security Officers awake at night. Such events pushed healthcare organizations into reactive mode and concerned about their potential vulnerabilities.

2 min read
best practices protecting phi in the cloud|minimizing phi data breaches through secure communication

The recent HIPAA breach reports with CHS and Cedar Sinai are enough to keep healthcare CIOs and Security Officers awake at night.  Such events pushed healthcare organizations into reactive mode and concerned about their potential vulnerabilities.

Minimizing PHI Breaches in the Healthcare Realm

In today’s world of pervasive smartphone usage and cloud computing, it is important to identify some of the best practices in Minimizing PHI Breaches. When evaluating any cloud-based service, the healthcare organization must ask three important questions:

  1. Does the vendor need access to PHI? If the answer is no, the vendor should not store or access the PHI in the cloud.
  2. Is the encryption airtight?  Check for weak links in the path of encryption such as logs, backups, passwords. Vendor should not hold the PHI encryption keys
  3. Does the service store PHI in public cloud servers? Public clouds are like unencrypted laptops. It’s a huge risk.
minimizing phi data breaches through secure communication

Minimizing PHI Breach with qliqCONNECT

Following tenets of best security practices for minimizing PHI breach, we have designed qliqCONNECT, our flagship secure texting service, to ensure qliqSOFT has no access to your PHI and no PHI is stored in the Cloud.  This dramatically reduces your risk of a PHI breach.

Here’s how we do it with qliqCONNECT

  1. Cloud Pass-Thru Messaging -  No message content and PHI are stored in the Cloud
  2. Public-Private Key Encryption - qliqSOFT has no access to keys that decrypt messages
  3. Message Archive Behind Your Firewall - Your PHI remains in your control and qliqSOFT has no access

Frequently Asked Questions

Find answers to common questions about this topic.

Public cloud servers pose significant PHI security risks similar to unencrypted laptops, as they lack proper isolation and control. Healthcare organizations lose direct oversight of their data and face potential exposure to unauthorized access or breaches.

No, healthcare vendors should never hold or have access to PHI encryption keys. Organizations must maintain exclusive control over encryption keys to ensure maximum security and compliance with HIPAA regulations.

Organizations should specifically ask vendors if they need access to PHI and require confirmation that no PHI is stored in cloud servers. Vendors should implement cloud pass-through messaging systems that process but don't retain sensitive health information.

IT teams should examine potential weak points in the encryption pathway including logs, backups, password storage, and data transmission points. All components of the system must maintain consistent, robust encryption standards without gaps.

PHI message archives should be stored behind the healthcare organization's own firewall rather than in vendor cloud systems. This ensures the organization maintains direct control and access oversight while preventing vendor exposure to sensitive data.

Krishna Kurapati

Written by

Krishna Kurapati

Founder & CEO

Founder & CEO of QliqSOFT with 20+ years of healthcare technology experience.

View all posts

Related Articles

hipaa hitech breaches in healthcare|
Best Practices

Breaches and the HIPAA/HITECH Omnibus Deadline

90 days. That’s all the time healthcare organizations have between now and the September 23 HIPAA Omnibus compliance date. Understandably, most healthcare compliance officers are focusing on the significant changes spelled out in the regulations: obtaining business associate agreements, updating notices of privacy practices, and training staff members on the changes to the law.

Krishna KurapatiKrishna Kurapati
2 min read
cloud based healthcare vendors and hipaa compliance|hipaa conduit rule and cloud computing
Best Practices

Cloud Computing and Conduits

For years, cloud-based healthcare vendors had tried to avail their organizations to the conduit exception to HIPAA. Broadly speaking, the conduit rule exempts entities from complying with HIPAA if they only transmit and do not access PHI (usually on behalf of a Covered Entity). In the buildup to the Omnibus Rule, PHR vendors, data storage companies, and other cloud-based providers lobbied HHS to broaden the scope of the conduit exception.

Krishna KurapatiKrishna Kurapati
3 min read
2m left