Compliance Notes: Best Practices for Protecting PHI

CMS takes protecting data for millions of Medicare beneficiaries seriously and has policies in place to safeguard data. By implementing the best practices listed below, ACOs help CMS in its effort to protect beneficiaries’ personally identifiable information (PII), protected health information (PHI), and other sensitive data via email.

  1. Avoid sharing PII, PHI, or sensitive data by email. If you must email it, encrypt the file and share the password with the recipient by phone, or fax it directly to the recipient.
  2. Do not email passwords.
  3. Do not click to open a link or attachment until you have talked to the sender or you are expecting the attachment.
  4. Do not share the password to encrypted files.
  5. Do not send work information to or from your personal email account.

Click here if you are interested in learning more about CMS security, privacy guidance, and best practices that may be useful to your ACO.

If you have PHI questions, contact the compliance office at 540–245-7455, or message Scott Jones at If you prefer to make an anonymous report you can do so at the Compliance Hotline at 855-298-5598, or at