patient confidentiality

The Dos

1. Keep Patient data in an EMR

One of the most critical aspects of HIPAA compliance is ensuring that patient data remains secure and is stored in appropriate locations. Electronic Medical Record (EMR) systems are designed with this in mind. Websites should not act as repositories for patient health information (PHI). Patient data such as medical records, diagnoses, or test results should be securely stored within your EMR, not on your website. If you are using HIPAA compliant E-mail ( and we advise you do ), ensure you have all proper consents and you follow best practices when sending data. For productivity tools we advise they be kept in a HIPAA compliant environment, whether that is a local server or a productivity provider, like Microsoft’s Office 365 suite.

2. Do Follow Best Practices for Office Networks

Even the best-designed website won’t protect PHI if your office’s internal network is compromised. It’s essential to implement strong network security measures such as:

  • Firewalls: Install high-quality firewalls to block unauthorized access.
  • Encryption: Encrypt all data transmissions, especially those involving PHI.
  • Regular Audits: Schedule routine audits to identify vulnerabilities in your system.
  • Network Segmentation: Separate public-facing systems (like websites) from internal office systems to minimize risk.

By securing your internal office network, you prevent bad actors from accessing sensitive patient information.

3. Do Hire a Professional for Thorough HIPAA Audits

When it comes to comprehensive compliance, it’s always a smart move to involve professionals. One recommended expert is Brian Tuttle from HIPAA Consulting. Brian specializes in HIPAA evaluations and can provide a detailed analysis of your practice’s technical infrastructure. His services include risk assessments, gap analysis, and recommendations for bringing your systems up to compliance standards. Hiring someone like Brian Tuttle is an investment in peace of mind and can prevent costly mistakes down the road.

4. Do Implement Secure Communication Channels

All patient communications, especially those through your website, should be encrypted. This includes any patient portal logins, appointment bookings, or contact forms. Implement SSL/TLS certificates to secure your website and ensure that any data passing through it is encrypted and protected from unauthorized access.

5. Do Regularly Train Your Staff

Technical safeguards are only as effective as the people using them. Regular training on HIPAA compliance for all employees, especially those who manage or interact with your website and office network, is vital. Ensure that everyone understands the importance of data security and how to avoid common pitfalls like phishing scams and weak passwords.

The Don’ts

1. Don’t Store Patient Data on Your Website

Your website should never serve as a database for storing PHI. It may be tempting to store appointment notes, patient forms, or consultation details within your website’s backend for easy access. However, this is a huge violation of HIPAA regulations. All patient data must be kept securely within your EMR or other HIPAA-compliant systems, never directly on the website.

2. Don’t Use Unencrypted Forms for Patient Communication

Forms on your website, such as contact or appointment request forms, may seem like convenient tools, but they can easily be exploited if not encrypted. Avoid collecting any sensitive patient data through unencrypted forms. All forms that involve patient data collection must be encrypted and should ideally link directly to your EMR or a HIPAA-compliant secure messaging system.

3. Don’t Ignore Your Office Network Security

Even the most secure website won’t protect your practice if your office network is vulnerable. Don’t overlook critical security measures such as:

  • Outdated software or hardware
  • Weak password policies
  • Public Wi-Fi networks

These are potential entry points for hackers looking to steal patient data. Regular updates and security patches are a must for maintaining a secure network.

4. Don’t Forget to Log and Monitor Access

Another common oversight is failing to log who accesses patient data and when. Whether it’s website activity, EMR access, or network logs, you should have detailed records of all access points. These logs not only help in case of a breach but are also a requirement under HIPAA for compliance audits.

5. Don’t Attempt DIY Compliance

HIPAA compliance is too critical to tackle without professional guidance. Trying to cut corners or “wing it” when it comes to protecting patient data can result in severe penalties, both financially and legally. As mentioned earlier, hiring professionals like Brian Tuttle to evaluate your practice’s overall compliance structure is essential. They can help identify weaknesses you may not have even considered, ensuring that your practice remains compliant and secure.