Health Information Management

Tip of the week: Conduct regular physical security checks to ensure the safety of your PHI.

HIM-HIPAA Insider, May 15, 2007

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

The security rule has led many healthcare providers to upgrade antivirus software, properly set up servers and firewalls, and conduct audits of access to ePHI. However, although taking these security measures is important, don't neglect basic physical security requirements in the process. Physical vulnerabilities can pose just as much-or perhaps more-of a threat to your organization.

"[Health information management (HIM)] departments have a good understanding of how important it is to protect their records," says Tom Walsh, CHS, CISSP, president of Tom Walsh Consulting, LLC, in Overland Park, KS. "Very few have weak physical security. But there can be [problems] out on the floors."

Common problems include the following:

  • Failing to promptly shred confidential documents
  • Leaving PHI out in the open
  • Failing to secure laptops, other portable devices, and paper charts when working remotely
  • Failing to scrutinize visitors closely enough

Conduct regular physical security checks

Include physical security in your organization's regular risk assessments so you can devise a plan to address these vulnerabilities. Also conduct regular walk-throughs in which you assess the physical security of all departments, Walsh recommends. The checks should include everything from making sure medical charts are not visible on desks to ensuring that computer passwords aren't in public view. (See the sample checklist on p. 8 for more information.)

Try to do walk-throughs during day and night shifts to make sure that everyone is following the rules; the smaller night staffs often do things differently, Walsh says. "Sometimes, the night shift tends to bend the rules."

It's also a good idea to perform a walk-through before conducting awareness training in a particular department so you can tailor your training to present problems, Walsh says. Then do another walk-through to confirm your training's effectiveness. You might also want to create a rewards program to motivate staff members to take physical security issues seriously, he suggests.

One common physical security problem is that staff members collect confidential information under their desks because they don't think to shred it frequently. Or worse, they might simply put confidential information in the regular trash where anyone could find it. Sometimes it can pile up for a week or more in an unsecured bin that anyone can access, Walsh says.

Tom Walsh, CHS, CISSP, president of Tom Walsh Consulting, LLC, in Overland Park, KS, provided this tip in the May 2007 issue of Briefings on HIPPA. To read more tips, visit

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular