Each practitioner must maintain a Notice of Privacy Practice in order to maintain HIPAA compliance.

Employees must protect computer-processed patient information and provider care information, using the same diligence as he/she would with the original health record. Examples of safeguards include: identification of authorized users; use of security codes; and location of computer facility in a limited-access area.

The office must maintain back-up files for all current information system data off-site or in a separate secure geographic location.

As applicable, the office must obtain written agreements from the computer vendors involved with patient or practitioner health care data that mandate the security of computerized data classified as confidential, and specify the methods by which employees are to handle and transport such information.

Medical records must be stored away from patient care areas, in a place where persons other than staff cannot view them.

Employees must maintain confidentiality at all points: during collection of the information, when and where it is stored (and in a location with limited access and disclosure), and during the eventual disposal of the information.

Employees must receive periodic training on member information confidentiality policies and procedures.