About 10 percent of the privacy violations tracked by consumer advocacy organization privacyrights.org in 2005 occurred in healthcare organizations. That figure jumped to 16 percent in 2006, and should be up another 5 percent to 6 percent this year if trends continue, says M. Peter Adler, of Alexandria, Va.-based InfoCounsel, a consulting firm focused on the intersection of legal and technology issues.

Clearly, security is a significant and growing issue in healthcare. Trouble is, it’s hard to recognize possible breaches in your own office. You’re just doing business the best you can. When there is a hitch, it’s a surprise.

Preemptively shoring up your practice’s security protocols can seem daunting, especially considering the industry’s obsession with EMRs and all things electronic. It’s easy to focus on IT and forget about basic, mundane physical security, says physician Jeffrey Hertzberg, president of Medformatics, a Minneapolis-based consulting firm specializing in the design, implementation, and selection of healthcare information systems. But some of the more common — and easily addressed — security cracks in medical offices are in fact comparatively low-tech. At the very least, attend to these.

Get physical

Indeed, everyone worries about the security of EMRs, application service providers, and data on handheld devices. Meanwhile, the chart room door hangs open and unlocked, consulting reports arrive at front-desk fax machines, staffers strew charts all over workstations, and physicians routinely take charts home, leaving them in their unlocked cars when they stop to buy milk.

Take some time to review these basics:

• Where are faxes printing out, and who can see them?
  
  
• Who has access to paper charts? Who can get into the records room or see charts currently in use?
  
  
• Is the record room locked when it’s not being used?
  
  
• Do paper charts travel outside the office? What keeps them safe?
  
  
• What happens to paper with patient information on it? Does it get thrown into the trash or is it shredded?
  
  
• Do you replace the locks or change the alarm pass code when staff turns over?
  
  
• Do you have written standards for staff to follow regarding patient privacy, and can you prove you’ve provided training on these standards?

It’s not just HIPAA

Certainly you do need to worry about complying with patient privacy regulations, although some practices remain unclear about just how to comply.

“I just talked to an office the other day where they were sending ordinary e-mail to patients and they didn’t realize it was a problem,” Hertzberg says. Everyone loved it, but any criminal interested enough to sort through voluminous Internet service provider records and piece together messages could see that a particular patient had a specific condition — a clear violation of HIPAA security regulations. Hertzberg advised the practice to switch to an encrypted e-mail model.

However, while HIPAA sets the standard for most security and privacy issues in physician practices, that’s not all you need to worry about. Thirty-nine states have “notice of security breach” laws that require practices (and other businesses, as well) to let individuals know if their names, Social Security numbers, credit card information, and other similar data may have been accessed improperly.