Physical Therapy Practice HIPAA Compliance - 3 things you can do in 30 minutes

Have 30 minutes? Why not work on your HIPAA stance?

It's really hard to believe but HIPAA (Health Insurance Portability and Accountability Act) was passed about 25 years ago. Mariah Carey and Tracy Chapman were dominating the billboards and everything was breezy. Combine that with 2+ decades in advances in technology including the proliferation of EMR and billing software and we can all agree that much has changed. At times, HIPAA can seem overwhelming but it's best to break it down to things that you can actually do. A little bit can go a long way. This blog post gives you three achievable things that you can do in 30 minutes to improve your HIPAA stance.

1. Clinic walk through

Estimated time investment: 10 minutesAfter your practices closes to patients for the day, start at the entrance to your practice and make a loop through the practice. Here's what you're looking for:

• NO PASSWORDS on sticky notes! We know passwords can be tough to remember but you should not allow employees to write their passwords down and paste them anywhere on their desk.
• Is all paperwork secured? If you see any printed medical records, intake forms, prescriptions, etc - are they all properly secured? Do you have a secure place for documents awaiting shredding to be stored - it it being used? As an aside, you might consider implementing a clean desk policy. CDP's are popular and require that desk be clear at the end of the day as an easy way to protect paper by ensuring it goes where it needs to or is destroyed in a timely fashion.
• Are all computer workstations protected? As you walk by are all devices secured physically (e.g. laptops locked up at the end of the night)? If workstations are left on, are they left on only to a password screen to log onto the computer? Are important pieces of equipment protected?

You may also consider doing the same walkthrough during the day when your practice is open to make sure that your employees are taking similar precautions during business hours.

2. Vendor List Crosscheck

Estimated time investment: 10 minutesDo you have a list of all vendors that you work with? If you don't, now would be a good time to make one. If you do, this would be a good time to ensure it is up to date. A list of vendors should be part of a manual that you have for your practice. Hopefully you have one of those too but if not this can be a start on that (hey two birds, one stone). The point of having a vendor list is ensuring that you know everyone that you work with and that might hold or process protected health information (PHI) for your practice.

• Make sure your list is complete. It's a good idea to have contact information in the list so that you have it handy
• If the vendor processes PHI for you, make sure you have a business associate addendum (BAA) signed with them
• Keep the list up to date, remove any old vendors form the list so that it is reflective of your current setup

Using vendors to help offload some of the work of HIPAA compliance can be a great idea but only if you're working with competent vendors and you're ensuring that you keep your paperwork in order. This is a quick thing that you can do to validate that you're on track and may be one of the biggest things that you can do. At MWTherapy, we sign BAA's with every client by default and we have no problem doing so.

3. Crosscheck your software access levels

Estimated time investment: 10 minutesHere's another easy one to tackle. Pop into your practice management/EMR software and take a look at your roster of users. There are two key things that you're looking for:

• Make sure the roster is accurate and doesn't include any people who should no longer have access to your system
• Make sure that everyone has the appropriate level of access to perform their job function (more on this below)

Have you ever heard of the principle of least privilege? It's OK if you haven't. It's really just a fancy term used by computer nerds to explain the idea that users of computer systems should be granted the least amount of access as is possible just to be able to do their job and no more. At times, practice owners may feel compelled to give everyone access to everything to make life easier but it's far better to start everyone at a minimum and add to access as employees demonstrate a need for more access for their position.

The bottom line

Boom! In 30 minutes, you've made a difference in the security of your practice and made a difference in your practice's HIPAA compliance stance. It's a good idea to calendar this to be done again in say 6-months. Feel free to bookmark this blog post.