data security Archives | WebPT


A HIPAA Risk Assessment is a Learning Experience

If you own a small- to medium-sized physical therapy practice, you are most likely preoccupied with daily operations such as paying bills, marketing your practice, and treating patients. You may know about HIPAA at a high-level—and you may also worry from time to time about a data breach. But, compliance and security are complicated; the regulations are written in legalese.

Read More

Overcome Your Fear: 4 Strategies for Tackling the HIPAA Risk Assessment

Without a doubt, healthcare practices—big and small—find the HIPAA risk assessment daunting. The HIPAA Security Rule requires all covered entities (a.k.a. providers) and business associates (a.k.a. the people and vendors providers do business with) to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic protected health information (ePHI).

Read More

4 Tactics to Reduce Business Associate HIPAA Risk

Here’s a scenario I hope you never have to face: your small physical therapy practice hires a third-party billing company to manage your billing operations. Then, that billing company experiences a massive data breach affecting more than 1,000 of your patients.

Read More

5 Things Small Practices Need to Know about HIPAA

The Health Insurance Portability and Accountability Act of 1996—a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size.

Read More

Nine Questions to Ask Your Cloud Vendor

Today’s post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen

9 Questions to Ask Your Cloud Vendor

So, you’ve decided to ditch the pen and paper and take your practice into the cloud―maybe through a payroll service, an email marketing tool, or even (hopefully!) an EMR. Now what? As you shop around for a cloud-based vendor to meet your clinic’s needs, be sure to get answers to the following nine questions. 

1.) Is this truly cloud-based? Many companies claim to have a cloud-based component, but they still require you to download a desktop application (remote desktop protocol) that connects you with the web and stores your information. The bottom line? If you have to download and install anything, you’re not really in the cloud, and future updates are entirely your responsibility. 

2.) Is your application browser agnostic? Browser agnostic means that no matter what browser (Safari, Google Chrome, Mozilla Firefox, or Internet Explorer) or version of that browser (IE7 vs. IE9) you use to access the Internet, your cloud-based application will work. 

3.) Where is my data stored? Not all cloud-based vendors are the same. You want to make sure they’re storing your data in the most hi-tech and secure facility possible. For example, many Level 1 secure data centers boast a defensible perimeter, digital video surveillance, biometric screening, and 24x7xforever guard staff. 

4.) How is my data backed up? Your clinic and patient data is invaluable, so of course you want to make sure that it’s always safe, secure, and frequently backed up. Additionally, ask your cloud-based provider how they will provide redundancies to ensure your data is always accessible and protected should a problem occur. 

5.) What measures do you use to ensure my data is secure? Your cloud-based vendor should use the SSL encryption that is standard for all online banking applications. The federal government uses this same type of encryption for all of their data and communications. Look for a vendor that offers unique user IDs and passwords because this is an absolute must for anything online. Two more plusses: a vendor that has an audit trail (i.e., user activity tracking) as well as specialized staff well-versed in online security measures at the ready to provide you with expertise.

6.) What does Google say about the company? Conduct a Google search and see what the interwebs turn up. PT message boards and forums as well as articles often talk about cloud-based companies both positively and negatively so read for reputation clues. How online sources and the media describe a company can provide you with insight as to how that company treats its vendors, employees, and customers.

7.) What is the company’s focus? Depending on the cloud-based service you’re researching, you may find it valuable to find a vendor that focuses specifically on healthcare. This will ensure the company speaks your language and provides tailored features and benefits.

8.) Does the company keep its customers? No one wants to sign up with a vendor that is constantly losing customers. Thus, when researching, be sure to look for a vendor that keeps their customers happy. A few figures to consider: retention rate, user size, and growth rate. Your best bet is a company that has shown continued customer growth (year over year) while maintaining or improving their retention rate. Asking friends, family, and fellow therapists for recommendations and referrals is always a great route, too.

9.) How do I get my data if I decide to leave?

You certainly don’t want to be tied to a vendor you’re unhappy with because your data is stuck, so ask up front. Most cloud-based companies will return your data to you digitally on a pre-loaded storage device (e.g., a CD) or in a way you can download it to a storage device of your choice.


Regardless of the cloud-based service you decide to float on, just make sure you get all the answers you’re looking for—and the only way to do that is to ask everything up front. Remember, there are no stupid questions and a good provider will appreciate you doing your due diligence. In fact, your transition to the cloud can be a breeze (get it? a little sky humor).

Hopefully these questions help give you a soaring-off point.

Read More

HIPAA Compliance in the PT Clinic

Today’s post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen.

The Health Insurance Portability and Accountability Act  (HIPAA) is as dense as it is important. But for any healthcare provider handling private personal health information, which you promised to protect as part of the Health Information Privacy Rule, there are a few things you must know.

First, a little background information on HIPAA: US Congress established the Health Insurance Portability and Accountability Act in 1996. They implemented Title II: Preventing Health Care Fraud and Abuse to protect a patient’s private health information (PHI).

Under this act, all healthcare providers, insurers, and their business associates may only collect, share, or use a patient’s PHI in approved methods and only for the explicit purpose of furthering patient care.

PHI is defined as demographic information; medical history; test and laboratory results; insurance information; and any other data health professionals collect to identify individual patients and determine their appropriate care.

Read More