Put physical and virtual access on lockdown. Maybe you've avoided HIPAA enforcement action for your lab, but that doesn't mean you should put your head in the sand. Instead, we have some news from recent HHS Office for Civil Rights (OCR) actions against Fresenius Medical Care North America (FMCNA) that could help you learn from others' mistakes. Target the following action items for your lab and stay on the right side of the HIPAA law. Confirm Physical Safeguards are Rock Solid The HIPAA Security Rule requires you to aggressively protect your practice locations from "unauthorized access, tampering, and theft," according to the OCR. That means you need to ensure your practice has tight controls over not only electronics like workstations, laptops, mobile devices, and medical equipment to avoid illegal access, but also security for the facilities themselves that stop intruders from damaging and stealing equipment. Ask yourself these questions about the physical safety of your office and equipment: Insight: "The high impact cases OCR moves forward with are intended to send a message to the industry," explains attorney Kathleen D. Kenney of Polsinelli LLP in Chicago, Illinois. "With that in mind, I advise our clients to use these cases as learning opportunities. "Ask 'could this happen to my organization?'" Kenney stresses. "And, if the answer is 'yes,' use it as an opportunity to voluntarily take corrective measures." Outline Access, Movement, and Removal of Practice HIT One of FMCNA's sites lacked the proper HIPAA protocols to fully protect its "hardware and electronic media that contain ePHI" from moving in, out, and around the facility, the OCR release mentioned. Consider these questions related to the "Administrative Safeguards" section of the HIPAA Security rule that specifically reference the movement and control of health IT: Insight: "As devices get smaller and more portable, the potential for lost or stolen or misplaced data increases - and so does the risk for a breach," warns Peter Arbuthnot, regulatory analyst with American HealthTech in Jacksonville, Mississippi. That's why it's essential to clearly state who's in charge of the maintenance, care, and updates of practice technology. Encrypt ePHI and Maintain Device Control More and more large-scale breaches fall prey to device management issues that lead to the loss of electronic protected health information (ePHI). The FMCNA case involved failure to implement encryption strategies. When you encrypt and decrypt ePHI, set strong password protection on your mobile devices, and implement at-rest and remote access rules, you are protecting your patients » and your livelihood. Check these three questions and see if you risk the exposure of ePHI: Insight: "If you do have a breach in your networks, or if a device containing PHI is stolen, proper encryption can be a lifesaver," points out Brand Barney, HCISPP, CISSP, QSA, security analyst with Security Metrics in Orem, Utah. "If your data is properly encrypted using industry-accepted encryption strengths, you don't have a breach. And it's also a requirement for HIPAA." Resource: For a closer look at the HIPAA Security rule, visit www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html.