Question: A new front-desk staff member insists that our office is violating the Health Information Portability and Accountability Act (HIPAA) by maintaining our patients’ medical records outside of the exam office. Is this true? California Subscriber Answer: No. The Office for Civil Rights (OCR) says that covered entities must enact reasonable safeguards to prevent the incidental disclosure of individuals’ private information. However, covered entities are not prevented “from engaging in common and important health care practices; nor does [the HIPAA Privacy Act] specify the specific measures that must be applied to protect an individual’s privacy while engaging in these practices,” OCR says. OCR suggests the following safeguards: limit access to areas with patient records, make sure the area where patient information is being maintained is supervised, escort nonemployees if they need to be in the area, put patient charts in holders with any identifying information covered or facing a wall.