1. Use privacy screens on your computer monitors. Otherwise, you put patient information at risk for exposure to other patients or non-medical personnel.
2. Enact a password policy that mandates changing passwords every 60 days.
3. Don’t store protected health information (PHI) on computer, especially if it is not encrypted.
4. Use a HIPPA-compliant email solution (quick tip: Office 365 is HIPAA compliant because Microsoft will do a Business Associate Agreement (BAA) with your practice).
5. Don’t share PHI through email that is not encrypted (Double check yours – most practices think their email is encrypted, but it is not!).
6. Physically lock up network equipment like routers and servers.
7. Promptly remove users from your network who no longer need access to your systems.
8. Enable properly configured firewalls.
9. Ensure you have multilayered security to combat system vulnerabilities
10. Dispose of PHI properly (shredding for paper files).
11. Avoid sharing user names and passwords among staff members (even for shared workstations).
12. Appoint a security officer.
13. Run background checks on new hires and obtain non-disclosure agreements for employees.
14. Conduct annual HIPAA training for all personnel.
15. Obtain signed Business Associate Agreements from all third parties that have, or could have, access to your patients’ PHI.
16. Enable password expiry or lockout protocols after unsuccessful login attempts.
17. Physically secure all laptops and workstations (many a laptop have gone for a walk, and that’s bad news for your practice).
18. Keep spam filters and antivirus software up to date.
19. Have an adequate and well-documented backup and disaster recovery process
20. Document file retention process and avoid unauthorized computer file deletion.
21. Most important of all
: get an annual HIPAA risk assessment and follow the recommendations from the assessment (Click here to contact us for a HIPAA risk assessment