HIPAA Security Rule: Move It to Top of Mind

Privacy and data-security pilot audits conducted in 2013 for the U.S. Department of Health and Human Services Office for Civil Rights (OCR) revealed that practices are struggling to comply with electronic data security.

Nearly all of the providers audited (this category encompassed practices and pharmacies) had at least one HIPAA security “finding” or “observation” of noncompliance, reported (PDF) OCR Senior Adviser Linda Sanches in a presentation. Most had not completed an accurate risk assessment.

For every finding and observation cited in the audit reports, the auditor identified a “cause.” The most common cause for both security and privacy problems is “entity unaware of the requirement,” Ms. Sanches’ presentation said.

This suggests a good place to start your HIPAA security compliance is with a careful reading of the HIPAA Security Rule and training, such as TMA’s webinar, HIPAA Compliance: Risk Assessments and Analysis.

You’re first step is to do — and document — a risk assessment for your practice. Then you can create your policies and procedures to make sure the electronic protected health information (ePHI) in your practice is secure.

Many safeguards are common sense ones. For example, keep in mind these do’s and don’ts:


  • Do have a policy for handling keys, magnetic access cards, or keypad security codes when a staff member leaves the practice. 
  • Do use anti-virus software on your computers, and keep it current.
  • Do require screensavers and passwords that contain a combination of more than 10 letters, numbers, and special characters.
  • Do require staff to change passwords on a regular basis. 
  • Do have a procedure to handle mobile devices that are lost or stolen.
  • Do back up your PHI and store the backups off site where they are safe from natural and environmental hazards.


  • Don’t let computer screens with ePHI on them face patient waiting areas. 
  • Don’t invite pharmacy sales reps to wait in areas where they might have access to something they don’t need. 
  • Don’t dump computers in a trash bin or send them to your favorite charity without properly removing or destroying storage on the device. 
  • Don’t leave EHR systems running in patient exam rooms where a patient could look at another patient’s records.
  • Don’t send text or email messages with ePHI unless you know they are secure.
  • Don’t let your children use your personal electronic devices to watch movies, play games, or listen to music if you access or share ePHI on those devices.

 HIPAA Compliance: Risk Assessments and Analysis is available on demand through the TMA Education Center.

 Revised July 28, 2014

  TMA Practice E-Tips main page  



Last Updated On

May 30, 2019