Recommendations:
- Staff should be educated, at a minimum annually, regarding HIPAA and patient confidentiality. This should be documented and maintained in their personnel files.
- Confidentiality agreements should be signed by all staff members.
- Staff conversations regarding patient care should not be audible to patients and visitors in the waiting area.
- The staff should be advised to never discuss patients outside the office, including the use of social media.
- Assess the flow of patients through the office to determine how best to maintain the privacy of PHI.
- Computer screens should not be visible to patients or visitors.
- Computers in exam rooms should not be left on or active when staff or providers are not present.
- Any electronic device that is used for the transmission of PHI must be encrypted and have regular software updates installed.
- The practice can leave messages on patient answering machines (e.g., regarding appointments) only if contained in your Notice of Privacy Practices. Patients must be offered the option of opting out.
- Business Associate Agreements must be obtained and maintained for all vendors who have access to PHI.