Information Security and Vendors

HIPAA Privacy Law and Information Security

The very sad truth is the world is full of criminals and you have something they want: information and materials. You may have all technical safeguards in place to protect yourself from computer hackers and break-ins; however,  what are you doing about the stream of people who walk in your office for business purposes?  One of the easiest ways for a criminal to get your information or materials is a con game.  The best defense against con artists is an informed and vigilant gatekeeper.  In your practice that is usually your front desk personnel.  How informed is your front desk on the need for Business Associate Agreements (BAA),  your current vendors,  and what they are authorized to do for you?  Do you control what your Business Associates and others have access to in your practice?

Here are four true stories that happened to some of our clients. Would you have been protected?

  1. The building manager/landlord walked in using their own key and took a workman into the medical records room which contained open computers and laid out files.
  2. An individual approached the front desk offering a free pickup and disposal of old x-rays because they were in the area. This person turned out to be a criminal who was stealing the x-rays for the silver content.
  3. An individual came in and picked up the trash scheduled for shredding but was not the contracted shredding company. The substitution was not discovered until the real pickup days later.
  4. Files were left out overnight. A cleaner recognized a friend’s name and read the file.


Although only two of these incidents (2 and 4) resulted in a breach the other two were saved from breaches by sheer good luck. (In the case of incident 3 the practice was able to discover the trash was picked up by their contracted recycling company in error, and was subsequently handled in a HIPAA-compliant manner.  The personnel of this practice spent several anxious days of research, and sleepless nights as this trash contains a wealth of identity theft and medical breach information.)

You can’t risk your patients’ right to privacy and your practice’s reputation and finances to luck. Some basic precautions could have prevented the risk of a breach in all four of these situations.

  • Always escort someone who does not work in your practice when they are going in areas that have access. This includes building management and landlords. Ownership of the property does not give free access to space you are renting.
  • Make sure anyone who comes in, signs in. Check ID if you do not know them.
  • Never leave files out or computers open when you are not there. If necessary lock your records room and clean that room yourself.
  • Make sure your gatekeepers know who your Business Associates are and what they are authorized to do. They need to understand why anyone they give protected information to must be thoroughly vetted and have a contract in place that specifies exactly what they can do with that information.