Digitalization of healthcare presents opportunities for improving the quality of healthcare services and promises economic benefits. However, the success of digital health and the benefits cannot be actualized without considering health data protection practices in the process of healthcare service delivery. Despite the criticality of protecting health data in the system use lifecycle (from recording to consuming and taking informed actions), there is a paucity of research to investigate this complex phenomenon. Using longitudinal qualitative data on a state-wide digital health transformation project, we contextually theorize the practices for protecting health data. Our study reveals five types of health data protectionin-practice, namely data minimization, informal encoding, accuracy, improving cyber-awareness, and appropriate access management. Our results provide new insights into information system use (especially, effective use), and highlight practices that can improve health data protection.