To protect yourself, your staff, and your business, follow these six steps to safeguard PHI
within your practice:
1. Create a plan that encompasses data privacy/security within your office and in transit
2. Enforce compliance efforts using documented policies and procedures supported
3. Provide ongoing training.
4. Collaborate and communicate on issues with
your entire staff.
5. Perform internal audits and have third-party
reviews of your program.
6. Measure the effectiveness of your regulatory
1 Create a Within-Office and In-Transit Data Plan
In the same month the pediatric gastroenterologist practice was fined $31,000 for not having a
BAA in place, a federally qualified health center in Colorado settled with OCR for $400,000
after failing to conduct a risk analysis prior to a
phishing attack. The fine would have been higher,
but OCR took into account the center’s nonprofit
status and the risk of closure that a higher fine
In this case, the center did the right thing
following discovery of the attack. The settlement
agreement stemmed from the lack of a risk
analysis at the onset and the insufficiency of the
initial risk analysis as well as subsequent ones.
The message is clear: you must not only have a
plan, but that plan should be rigorous enough to
If you’re not sure where to begin, check with
other local practices or medical associations
on how they have dealt with privacy/security
planning. If you’re a large practice or part of a
health system, you should be sufficiently covered.
Small practices, meanwhile, likely will outsource
security. But once you have a plan, everyone in
the practice should be aware of the policies and
procedures and follow them.
2 Enforce Compliance Supported by Sanctions
Having a plan is merely the first step to compliance. Just as nurses check a patient’s vital
signs at the start of each visit, check and
enforce security guidelines every day to make
Use the buddy system to provide another set
of eyes to check that computers are locked
whenever they are left unattended (even for a
minute). Empower anyone who sees an unlocked
computer to lock it, and notify the privacy officer.
Stay on guard about passwords affixed to computer screens or visible work spaces.
It’s not enough to point out errors. There
should be sanctions for repeated or blatant
violations. Verbal warnings, written warnings,
and terminations should all be on the table—not
necessarily in that order. A blatant security lapse
should be dealt with appropriately.
3 Provide Ongoing Training Protecting PHI is never a one-and-done
proposition. In addition to initial training, reinforce the importance of adhering to security
guidelines at every opportunity. When we are not
constantly reminded, we tend to forget. A weekly
or bi-weekly email detailing security measures is
a good start to that reinforcement.
Everyone should receive follow-up training on
at least an annual basis to reinforce the guidelines and provide updates on any changes. Query
employees on what they learned. Also, keep
accurate records of who has received training.
Training should occur for new hires, when significant changes take place, at least annually
to reinforce learning, and with individuals who
If you think