We have put disclaimers on the dashboards where the underlying data contains PHI. We are also monitoring who downloads any PHI from any of the dashboards. Hope this helps!
We had exactly the same dilemma when visualising patient level information in our organisation and one way we found of mitigating the risk was to only display the internal System ID of the patient rather than any name, national number of sensitive data and then we use a dynamic hyperlink (We have branded it Click and Correct as we want to improve data quality this way by encouraging people to click on the record and correct any data quality errors in the source Patient System) by embedding the System ID Tableau Dimension into the web string to allow people to click directly from the Tableau workbook into the Patient System, from where they can view the sensitive info.
I have also raised an idea with Tableau to allow us to turn off subscriptions at a workbook and view level so we can stop users subscribing to workbooks that have patient identifiable data within them.https://community.tableau.com/ideas/6953
Hope that helps in some way.
You can also restrict the server users ability to view the underlying data. We have done that with some dashboards where the PHI is not displayed in the view. We don't want them to grab it from the underlying data either.