When configuring patient privacy settings, which principles should be applied?

• A. Make PHI publicly accessible to improve collaboration.
• B. Use the same permissions for all users regardless of role.
• C. Disable all audit logging to speed up performance.
• D. Protect PHI, minimize data exposure on screens, apply role-based access and audit controls.

Answer: (D)

Protecting PHI through restricted access and accountable tracking is essential. In practice, privacy settings should defend confidentiality by minimizing what can be seen on screens, enforcing role-based access so users only access information necessary for their role, and maintaining audit controls to monitor who accessed PHI, when, and what they did. This approach embodies least privilege, reduces exposure, and provides a traceable record for accountability and investigations. Making PHI public breaks confidentiality; giving everyone the same permissions ignores the different responsibilities and risks across roles; and turning off audit logging eliminates the ability to detect or respond to inappropriate access. For example, clinicians see the information required to care for a patient, while non-clinical staff access only appropriate data, with every access logged for review.