Security is a top priority for medical offices. Protection of medical records and patient data should be a full time job. Protection of privacy and physical protection of records and data is a daily task for all practice managers.

Data loss can occur in many different ways, and it is important to understand all of the potential risks that your medical practice faces everyday. Information whether it is written, verbal, or electronic can be intercepted, overheard, read, lost, and stolen at any time during a single day. As a Practice Manager you must take reasonable steps to protect your patient information against loss. Physical, operational, and electronic policies to protect information are your number one priority.

Physical security of patient data can take many forms such as locking patient records in a secure cabinet when they are not in use or creating a red zone in the office where records can be kept out of view from the public, contractors, and those that do not have the need to know. As a practice manager think of ways to test your physical security system.. Find out how easy it is for you to visibly see a patient record from the lobby window. See if you can read the name or other information on the record then look around and see what else is physically unsecured in your office. Then create simple and reasonable policies that will keep the data invisible to those that don't have the need to know.

Operational security policies can cover what you say on the phone, who you are talking to about a patient, and what you say about a patient. Other operational policies can cover background checks for new employees, security guidelines for new employees, and post employment guidelines for discharged employees. Policies that govern faxing, copying, and removal of a patients records form that facility are other types of nice to have policies. Once a document has been faxed it is no longer in your control. It is lost. The reality is if the faxed copy ends up on the front page of the local newspaper it came from you. You lost control of the information.

Data network security has been around since the beginning of the Information technology industry. Physical and operational methods of protecting mission critical data have been a necessary requirement for all businesses, and corporations around the globe. Significant risks are a reality in today's high tech world. There are unscrupulous people who spend their time attempting to gain access to your data network. Patients names, addresses, social security numbers, prescriptions, pharmacies, schedules are stored somewhere on your network. If your data network is not secure this information can be retrieved from outside your office and from inside your office. Computer user IDs and passwords provide some protection from unauthorized people gaining access to data from the inside. Firewalls provide protection from hackers gaining access from the outside through Internet or modem connections. Correct configuration of your data network is crucial in order to protect you from silent intruders and loss of electronic information. Without reasonable network security your patients are vulnerable to identity theft, and loss of their personal information, and any other form of privacy invasion you can think of.

Practice managers that have written physical, operational, and electronic security policies in place have made the effort and their intent is to control and protect patient information.

©Written by John H. Paz, former Security Manager (Top Secret Level Security Clearance), 2130 Communications Group, US Air Force.