[Answer continued … ]Any conversations about patients, whether you are returning a patient’s call or whether your staff member is talking to an insurance company, should be conducted in private where no family members or others can hear you. One doctor was discussing a child’s bedwetting problem with a parent within earshot of his own children. It was a small town and the doctor’s children went to school with the child who had the bedwetting issue. Soon, it was public knowledge in the classroom and the other children teased the boy with the problem. This took place in the days before HIPAA was put into place, but the issue could just as easily take place today if patient-related conversations could be overheard.

Equally important is making sure there is a dedicated computer used for nothing other than practice-related matters. The computer should have a secure password and should not be shared by others, such as one’s children who are using it to do their homework or play video games.

Related Articles

Are there any software-related issues to be concerned about?

You should have good firewalls proper encryption for patient portals and modes of communication. It is extremely important to keep software supported and up to date. If the manufacturer recommends updates, they must be installed promptly so that your software remains secure. Updates are “patches,” which the manufacturer recommends if they find vulnerabilities. Older versions of software eventually are no longer supported by the platform, such as Microsoft. Beyond being unreliable, outdated software is vulnerable to cyber breaches. The government’s position is that if the software is not supported, this constitutes a per se violation.


Continue Reading

How can a practice increase its security?

I cannot emphasize enough what I mentioned in the previous interview, which is to engage a professional IT expert to conduct and troubleshoot software issues or handle phishing e-mails and potential breaches. A professional IT expert should also conduct an annual risk analysis and advise on what needs improvement.

You should regularly review who in your practice has access to which type of information. Staff members who do not need to access patients’ electronic health records (EHRs), meaning they are not involved with the care of a given patient, should be prevented from accessing that patient’s records. The e-mail accounts and passwords of former employees should be immediately deactivated so they can no longer access your network. This is equally true if you have a storage area of paper files. The ex-employee’s key or swipe card should be returned and if there is a combination lock, the combination should be changed.

Lastly, make sure you have policies in place regarding your employees’ use of social media and e-mails and access.