Woman assaulted at private practice: How can physicians safeguard their patients and data?

A man was arrested earlier this month after a patient claimed that he sexually assaulted her in an exam room at a chiropractor's office. Surveillance footage showed him walking quickly through the hallways of the practice before the assault took place. The unsettling incident raises concerns about the security of private practices and questions about what is needed to keep an office safe.^[]

Jonathan Rosenfeld, the founder of and managing attorney at Rosenfeld Injury Lawyers, says many security protocols exist to help doctors keep their practice secure and their patients safe. Some of these systems are nonnegotiable, while others could be more useful in some offices than others.

“While certain security measures are non-negotiable due to legal requirements and patient safety concerns, others may vary based on factors such as the practice's risk tolerance, budget, and technological capabilities,” Rosenfeld says. “Regular risk assessments and staying informed about emerging security threats are essential for adapting security protocols in private medical practices.”

Even in the most secure environments, unplanned disasters can occur. Still, securing your practice and implementing safety protocols can reduce the risk of unwanted intruders getting into your hallways or security systems and help you have a plan for how to address this situation should it occur.

Essential security tools for your practice

Rosenfeld says that non-negotiable systems can include those that are needed for compliance with the Health Insurance Portability and Accountability Act (HIPAA), like any safeguards that maintain patient confidentiality, secure the handling of medical records, and protect electronic health information. Other essentials, some of which can also help you comply with HIPAA, include:

1. Access control tools

2. Data encryption tools

3. Secure communication channels

4. Regular training and education for yourself and your staff

5. Secure payment processing

6. Physical security measures on premises

Access control tools

Access control tools relate to security for patient records. These tools “involve limiting access only to authorized personnel through measures such as unique logins, passwords, and physical locks,” Rosenfeld says.

Data encryption tools

Encrypting data can be essential for preventing unauthorized access, particularly in cases of data breaches, Rosenfeld says.

Secure communication channels

In addition to encrypting data, providers can encrypt email and messaging platforms. Tools for securing communication channels “should be used when discussing patient information,” Rosenfeld says.

Regular training and education for yourself and your staff

Training and education can pertain to how to use security systems and recognize a threat. “Continuous training and education of staff on security protocols, including phishing awareness and handling of sensitive information, are crucial,” Rosenfeld says.

Secure payment processing

Using the Payment Card Industry Data Security Standard (PCI DSS) is an important method of safeguarding patient payment information, Rosenfeld says.

Physical security measures

Physical security measures can include:

1. Surveillance cameras

2. Alarm systems

3. Restricted access areas within your practice’s premises

Potential security tools for your practice

Some providers may want to implement extra security tools beyond just the essentials in order to keep themselves and their patients safe. When it comes to additional safeguards, Rosenfeld says that providers may want to consider some of the following:

1. Telemedicine security

2. Bring Your Own Device (BYOD) policies

3. Third-party vendor security

4. Remote access policies

5. Incident Response Plan

Telemedicine security

Additional virtual security measures may be necessary if you are conducting a lot of appointments through telemedicine. Exactly what systems are best may vary from platform to platform.

Bring Your Own Device (BYOD) policies

Bring your own device, or BYOD, policies can pertain to allowing or prohibiting staff from bringing personal electronics, such as cell phones, to work. These policies might be helpful for offices that have experienced data breaches and are particularly concerned about cybersecurity. They can also help set clear guidelines for staff about what they should or should not bring to work. However, these policies are not necessary everywhere.

Third-party vendor security

Third-party vendor security can be helpful if you use a third-party vendor for things like billing services or keeping up with your electronic health records. For some places, however, implementing this extra security may be a question of access and affordability, Rosenfeld says.

Remote access policies

With the growing prevalence of remote work—and the need to access patient records outside of the office—Rosenfeld says that “defining remote access policies may be subject to debate based on convenience versus security trade-offs.” These policies can include regulations on using virtual private networks (VPNs) and multi-factor authentication (MFA), he says.

The details of your Incident Response Plans

Rosenfeld says, “having an Incident Response Plan in place is essential.”

He notes that these can involve details such as:

• Chain of command

• Communication protocols

• Steps for mitigating breaches