How is your clinic’s HIPAA Health?

Because the practice owner bears civil and criminal liability for HIPAA breaches, periodically revisiting this topic is a good idea. Your HIPAA policies will constitute an important defense if there ever is a breach, and instituting them will also greatly lower the risk of a breach occurring in the first place.

Do you have a policy for internet conduct for all employees in your practice?

  • Do employees understand which attachments they are and are not allowed to click?
  • Are employees trained on how to identify malicious or phishing emails?
  • Are employee passwords unique, secure, and following password recommendations?

Are all practice computers fitted with up-to-date antivirus software that automatically scans regularly?

  • Do employees know what to do if a threat is detected vs. simply clicking “remove the threat?”

Have you verified compliancy with questions 1 and 2 for any employee’s home computers that may access your PHI? Are their family members using these home computers or devices?

  • If therapists are completing notes at home, you must ensure they are protecting PHI data with secure internet connections and secure devices and by restricting access to the device.

Have you ensured that any employees who have left your practice can no longer access your PHI? Are all of their logins properly deactivated?

  • Your clinic should have a strictly followed protocol that goes into effect when an employee is terminated or leaves the job. This protocol should not be delayed, and access restrictions should be tested.

 If using a web-based EMR, are you protected from the typical Web based PT EMR vulnerabilities?

  • A leading Web-based PT EMR advertises that any employee can access your PHI from any internet-connected device, anywhere, any time

    The inability to control which computers have access to your PHI puts the practice owner at significant risk of HIPAA breach.

    Do your employees understand which computers they are (and are not) permitted to use while accessing your PHI?

Has each employee signed an agreement acknowledging receipt, understanding, and compliance with and of your HIPAA and technology policies?

  • Are new employee trained on these topics?

Do employees understand which parties are authorized to receive PHI and what steps to take when a non-authorized party requests patient information??

  • Do you have a signed BAA (Business Associates Agreement) with all vendors, users, and software suppliers who can access your patient data (scheduling, EMR, HEP, marketing, billing)?

Let’s talk about how S4PT can help your clinic get more!

Interested in a free demo of our products or business consultation tailored to your physical therapy clinic? Complete the form or call the number below today!

(814) 624–0084