Each practitioner must maintain a Notice of Privacy Practice in order
to maintain HIPAA compliance.
Employees must protect computer-processed patient information and
provider care information, using the same diligence as he/she would with
the original health record. Examples of safeguards include: identification
of authorized users; use of security codes; and location of computer
facility in a limited-access area.
The office must maintain back-up files for all current information
system data off-site or in a separate secure geographic location.
As applicable, the office must obtain written agreements from the
computer vendors involved with patient or practitioner health care data
that mandate the security of computerized data classified as confidential,
and specify the methods by which employees are to handle and transport such
information.
Medical records must be stored away from patient care areas, in a place
where persons other than staff cannot view them.
Employees must maintain confidentiality at all points: during
collection of the information, when and where it is stored (and in a
location with limited access and disclosure), and during the eventual
disposal of the information.
