This HIPAA compliance service directly recommends never storing your PHI/PCI data in Excel specifically because it is so easy to have it accidentally be the cause of a breach. https://pcihipaa.com/how-to-protect-your-practice-from-common-hipaa-violations-and-fines/ "A Credit Card Data Breach: Every practice handles patient credit card information. A Payment Card Industry (PCI) violation can also end up being a reportable breach under HIPAA. Securing and properly handling credit card data is imperative. Don’t store any credit card information in QuickBooks, Excel or any other software. Also make sure you are PCI certified and using EMV devices to limit chargeback liabilities." They only mention the PCI piece, because it is so much less of a concern, storing health data in there would be so much worse.