If you want to secure you PHI, you first got to find it.
Protected health information (PHI) under US law is any information about health status, provision of health care, or payment for health care that is created or collected by a "Covered Entity" (or a Business Associate of a Covered Entity), and can be linked to a specific individual. Source: https://en.wikipedia.org/wiki/Protected_health_information
Some places you can look:
Calendar. This is how two Phoenix cardiologists earned a $100,000 fine.
Email. Do your doctors email each other about patients? Do they get emails from patients? Now you need to protect the emails stored on your servers and mirrored to the Inbox on every device you own.
Voicemail. Do your patients leave you messages? You need to make sure your voicemail box is secure. Similarly, be wary of calls hosted by the cloud.
Text Messages. If your patients send you text messages (which I hope they don't because it is an an open channel!) the text history stored on your phone is now PHI.
Billing. You get paid, right? Well, the payment records link patients to you. This means your billing information is not just PCI, it is also PHI!
The Cloud. Somewhere out there, over the rainbow, you have a server with patient data. You need to protect it. If any of that data is ever unencrypted, or if the decryption keys are stored by the same cloud service as the data, you need to sign a BAA with the cloud service provider.
The Guy With Three Computer Screens on His Desk. Otherwise known as the developer, QA tester, database manager, or system administrator. He has access to the PHI (which he innocuously calls "production data") because he codes/tests/administers the system where it is stored. But testing might require obtaining a local copy...and you see where this is going. If you outsource any of your dev/qa/sys admin functions to outside contractors you need a rock-solid BAA.
The Ridiculously Expensive Printer. The bigger and more expensive, the more likely it stored electronic copies of all PHI you sent it to print. Affinity Health paid a $1.2 million penalty for data discovered on the hard drive of its copy machines.
Laptops, cell-phones, and computers. If your company handles PHI, just assume that all devices that ever connect to your system MAY have PHI on it. (even if they're not supposed to). Concerta Health Services paid a $2 million dollar penalty due to a stolen laptop.
Browser Cache. You thought you placed your PHI safely in the cloud. But there it is, on every laptop, cell-phone, and workstation that ever connects to your web-portal (see above).
USB drives. Those little devices you use to transfer data between computers when you don't have a secure file transfer service available.
The Recycling Bin. Because that's where you put your PHI after you shredded it.
All of the above examples constitute "data-at-rest." Your job is to encrypt it, create a back-up, and encrypt the back-up. Then add some audit and access control. If a separate organization has access to the data, you need to sign a BAA to ensure that they do the same.