9 Questions That Address Your “HIPAA Health”

Because the practice owner bears civil and criminal liability for HIPAA breaches, it’s a good idea to periodically revisit this topic.

Not only will your HIPAA policies constitute an important defense, if there ever is a HIPAA breach, instituting them also greatly lowers the risk of a breach occurring in the first place.

The following nine questions, when properly addressed, are the foundation of your HIPAA health.


  1. Do you have a policy for internet conduct for all employees in your practice?
  • Do employees understand which attachments they are and are not allowed to click?
  • Do employees understand what they are and are not allowed to download?
  • Do employees understand that their EMR password must be different than other passwords that they use?
  1. Does every computer in the practice have an up-to-date antivirus software that automatically scans on a regular basis?
  • Do employees know what to do if a threat is detected vs. simply clicking, “remove threat?”
  1. Are you compliant with questions 1 and 2 for any employee’s home computers that may access your PHI?
  1. Are these home computers protected from use by other family members or friends who are not trained in HIPAA policy?
  1. Have you ensured that any employees who have left your practice can no longer access your PHI? Have all of their logins been properly deactivated?
  1. Are you protected from Web based PT EMR vulnerabilities?
  • A leading Web based PT EMR advertises that any employee can access your  PHI from any internet connected device, anywhere, any time
  • The inability to control which computers have access to your PHI puts the practice owner at significant risk of HIPAA breach
  • Do your employees understand which computers they are (and are not) permitted to use while accessing your PHI?
  1. Has each employee signed an agreement acknowledging receipt, understanding, and compliance with and of your HIPAA and technology policies?
  • Has every new employee been trained on these topics?
  1. Do employees understand which parties are authorized to receive PHI and what steps to take when a non-authorized party requests patient information?

Do you have a signed BAA (Business Associates Agreement) with all vendors, users, and software suppliers who can access your patient data (scheduling, EMR, HEP, marketing, billing)?