Of course, backup systems aren’t much good if you don’t know how to use them. Dunn recommends working with your vendor when installing the software. It’s best to schedule this task for a weekend, when you don’t have to worry about patients. Someone at the practice needs to familiarize herself with the installation procedure in case the software ever needs to be reinstalled.

5. Security starts with your staff
In this case, last is definitely not least. Everyone we talked to agreed this fifth step was the single-most important one for securing patient information.

“We have a saying here that it is 90 percent sociological and 10 percent technological,” says Chang. “You can have a practice built like Fort Knox in terms of technology and security, but if you’ve got someone who is giving out the keys to everybody, there is no point.”

Of course, no matter which technology your office implements, nothing can replace your employees’ good security practices. Dunn suggests identifying such employees during the interview process by performing background checks. Although most credit card information is encrypted on your practice management system, many employees still have access to vital information such as social security numbers and birth dates. Unscrupulous individuals don’t need much else to open credit accounts in your patients’ names.

Also be sure to limit access to specific parts of patient records. Everyone in your practice needn’t have access to test results, diagnoses, and other sensitive patient information. Most EMR systems have a rights management component that allows you to designate access by individual user account. Talk to your software vendor to find out how you can do this.

But sometimes the worst offenders are employees who never had any intention of doing your practice any harm. Someone who goes on the Internet and inadvertently downloads a virus while checking their private e-mail could incapacitate your network and put your practice out of business for the rest of the day. Both Chang and Dunn recommend establishing a policy for security and Internet usage for all employees. Family Practice Associates of Lexington has a strict policy — and they stick to it.

“There are hardly any exceptions to be made when an employee doesn’t follow our requirements with regards to security, and they expose us to that sort of a potential threat,” says Miller. “It’s a very difficult situation, and we have dismissed employees both for inappropriate use of the Internet as well as for inappropriately accessing medical records.”

Robert Anthony, a former associate editor for Physicians Practice, has written for the healthcare and practice management industries for six years. His work has appeared in Physicians Practice, edge, Humana’s Your Practice, and Publisher’s Weekly. He is based in Baltimore, Md., and can be reached via editor@physicianspractice.com.

This article originally appeared in the April 2008 issue of Physicians Practice.