# Comply with HIPAA by masking or blocking PHI from going to destinations Freshpaint's [HIPAA mode](https://documentation.freshpaint.io/readme/hipaa-mode) gives you full control over how you send data to your destinations. In this guide, we're going to show you how to configure your destinations to make use of HIPAA mode. ## Putting a destination into HIPAA Mode A destination is in HIPAA Mode if its connection mode is "Server-side" and HIPAA features are enabled. {% hint style="warning" %} Only destinations that support a server-side connection can be used in HIPAA mode. {% endhint %} You can change these options on the destination's configuration page. When handling PHI, you should always enable HIPAA mode unless you've signed a Business Associate Agreement (BAA) with the destination. ![A destination is in HIPAA mode if its Connection Mode is "server-side" and HIPAA features are enabled](https://1666823438-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MA7aDqsXMFbUsWVqonF%2Fuploads%2Fti9vpPicXrMebQe3WgEw%2FScreen%20Shot%202022-02-07%20at%206.20.39%20PM.png?alt=media\&token=ffbc28f5-2d9f-4aa7-a1a6-0e9de68a442c) Because HIPAA Mode features are applied to events on Freshpaint's servers, client-side destinations do not support HIPAA mode. As a result, destinations where HIPAA features are enabled and the connection mode is "Client-side" are invalid. ![Destinations configured to restrict PHI that are set to the Client-Side connection mode are invalid](https://1666823438-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MA7aDqsXMFbUsWVqonF%2Fuploads%2FRfC6LlNEV5fVddsqKYfI%2FScreen%20Shot%202022-02-08%20at%2012.13.08%20PM.png?alt=media\&token=64d5e232-c857-46e8-a88c-ba331033c4d4) When your account is configured for HIPAA, you default to restrict PHI from your destinations. To change this behavior, click the `Configure` button for HIPAA Settings and you'll see a modal pop up, like this:

Check the box to disable HIPAA restrictions for a destination

Check the box next to `Disable ID Masking and Enforced Allowlists` *only if* you want to allow PHI to be sent to a destination. ## Configure how you send properties with PHI Once you have HIPAA mode turned on and a destination configured to restrict PHI, you can use allowlists to manage what you *can* send. Click the `HIPAA Allow List` and you'll see a screen which looks like this:

Choose which kind of properties to allow

Here you can choose to opt into which properties you can send to your destinations. These lists are saved to your [environment](https://documentation.freshpaint.io/admin-panel/projects-and-environments); a production and development environment may have different allowlists. You'll see three lists you can configure: * Event properties are ones which are sent with track calls. These include autotrack events and precision track events. * User properties are ones which are sent with [identify calls](https://documentation.freshpaint.io/reference/developer/freshpaint-sdk-reference#identify) from our SDK. * Group properties are ones which are sent with [group calls](https://documentation.freshpaint.io/reference/developer/freshpaint-sdk-reference#group) from our SDK. Click the edit icon to configure any one of these sets of properties, and you'll see an interface which looks like this:

You can add the properties that you'll *allow* to a destination. Once you do, *only those properties will be sent.* You can see that we've decided to use ID masking for the `email` property; it'll be sent in a form that is consistent for each unique email address, but from which you won't be able to determine *what* email it had been. The `user_id` property will be sent unmasked, meaning it will be clearly recognizable in the destination to which it goes.