How should patient information be protected in electronic health records (EHRs)?

• A. Access controls, audit trails, encryption, secure passwords, device security, and confidentiality training
• B. Post PHI on public terminals for transparency
• C. Use simple passwords and share them among staff
• D. No training is needed for confidentiality

Answer: (A)

Protecting patient information in electronic health records relies on layered safeguards that limit access, monitor activity, and safeguard data. Access controls ensure only authorized staff can view or modify records; audit trails record who accessed data and when, providing accountability and helping detect misuse; encryption protects data both at rest and in transit; strong, unique passwords and password policies reduce the risk of unauthorized entry; device security helps prevent data loss or theft from hardware; confidentiality training ensures staff understand their privacy responsibilities and the legal requirements they must follow, such as HIPAA. This combination—technical, administrative, and physical safeguards—addresses different points of risk and supports a culture of privacy. Post PHI on public terminals would breach confidentiality; using simple passwords and sharing them creates major security weaknesses; no training leaves staff unaware of proper privacy practices. The comprehensive approach is the correct one.