Privacy Please

Revisiting data security in an evolving tech world.

By Eric Cardin, PT, MS

This year heralds the 20th anniversary of Congress’ passage of the Health Insurance Portability and Accountability Act (HIPAA). Two decades later the protection of health information and privacy continues to be an important issue among private practitioners. As much as HIPAA has become a household name, a new or established practice can potentially overlook the necessary steps needed to protect their clients and limit their liability related to handling sensitive data. Over the course of its life, HIPAA has centered around the “privacy rule” and the “security rule.” It is important to check in with these regulations, their clarifications, and subsequent updates (see Health Information Technology for Economic and Clinical Health [HITECH] Act below) to ensure compliance and increase peace of mind when it comes to data security and privacy.

The “security rule” requires “appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”1 New private practice physical therapists are tasked with understanding and complying while established therapy practices should revisit their plans to ensure compliance. Compliance must be thought of as an ongoing and evolving process. After all, iPhones, iPads, “The Cloud,” Smartwatches and the ubiquitous “selfie” were yet to arrive when HIPAA went into effect. What will technology bring in two, three, or ten years from now?

Risk Assessment

First, the private practice physical therapist should conduct a risk assessment. It is important to consider how protected and private information is being handled and anticipate possible lapses in security. A thorough risk assessment helps identify possible ways protected information might be compromised. Basic documentation of an assessment demonstrates a reasonable effort to maintain and secure private health information. A risk assessment can be followed by a complete analysis of what is currently being done or could potentially be done to overcome the risk found during the risk assessment. This analysis of current security and the inherent risks found surrounding the protection of private information is the cornerstone of compliance.

Administrative, Physical, and Technical safeguards

Administrative safeguards: In general, these are the administrative functions that should be implemented to meet the security standards. These include assignment or delegation of security responsibility to an individual and security training requirements. Clear policies regarding reporting security incidents are a required part of these safeguards. Efforts should be made to train the entire team to understand and enforce the plans. Compliance plans should also address data backup, disaster recovery, and contingency plans.

Physical safeguards: In general, these are the mechanisms required to protect electronic systems, equipment, and the data they hold, from threats, environmental hazards, and unauthorized intrusion. They include restricting access to protected health information and retaining off-site computer backups. Cloud computing offers cheap and nearly limitless storage and backups. Understanding how information you handle is stored is a key part of selecting an electronic medical records (EMR) vendor. Simple physical safeguards include the computer or device to “lock” after a period of nonuse. However, compliance and enforcement require staff to buy-in and be educated by the management team.

Technical safeguards: In general, these are primarily the automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that protected information or encrypting and decrypting data as it is being stored and/or transmitted. Mandatory password changes, protected/private Wi-Fi networks, clear policies regarding “bring-your-own-device,” and education regarding secure home networks are all important parts of technical safeguards.

In 2009, the HITECH Act further defined requirements and strengthened enforcement and penalties for noncompliance. The government strengthened enforcement and penalties related to data security in this Act after a culture of lax compliance developed nationally regarding the protection of health and private information. The HITECH Act enables the government to impose large monetary penalties for those covered entities found to be in “willful neglect.” This can seem like an ambiguous term, but it presents an opportunity for a prepared provider to establish a basic plan for compliance. The Act also defined when patients and the government must be notified of a “breach” of protected information. This definition can be summarized into including basically any unprotected or compromised information that requires the patient to be notified and larger scale incidents that require the government to be notified.

The interaction of regulation, technology, and security can be a complex web of requirements. Regular review of policies, procedures, training together with documentation, and efforts to educate employees are an important part of compliance. Information to assist private practice physical therapists, summarized here, is available across multiple internet resources, including,, and the American Physical Therapy Association (APTA) website. 


1. Accessed Nov. 2015.

Eric Cardin, PT, MS, is the executive director of South County Physical Therapy, Inc. He can be reached at

Taking Your Office into the Cloud


Changing from hard drives and servers to web-based services.

By Scott C. Spradling

Administrators wear a variety of hats during the course of any given work day. When you think of the private practice physical therapy clinic, “high tech” does not immediately come to mind. With increasing popularity of cloud-based services, the administrator can create a virtual “smart” office, hang that information technology hat on the wall, and focus on the core business of valued patient care.

Simply put, cloud computing is computing based on a service rather than a product. In the past, people would run applications or programs from software downloaded to a physical computer or server in their building. Cloud computing delivers access to the same kinds of applications through the Internet or other type of network.

The Metrics of Social Media


Taking engagement to the next level.

By Ingrid Anderson, PT, DPT, OCS

Your business is on Facebook and Twitter. You may even have a YouTube channel. You have hundreds or thousands of “likes” and “follows,” and the numbers are growing. You update your blog regularly, and your clients and followers are “talking” about you on social media.

If you are trying to grow business through social media, this is not enough. Marketing is only useful if it generates sales, and if you are using social media as a marketing tool (rather than just for patient and community outreach), then it must lead to increased revenue or it represents time and money wasted.

Rest in Peace, Windows XP


What you need to know about HIPAA compliance and Microsoft.

Steven Presement
Just when you thought not much more could happen in a year already chocked-full of regulatory changes, here comes another bombshell that will take health care totally by surprise. Microsoft has announced that as of April 8th, it will no longer support Windows XP, an operating system that is still in use in one-third of Windows-based computers across the world. This change also means is that Microsoft will no longer release security patches for Windows XP—the updates that combat hackers. In fact, Microsoft has said, “PCs running Windows XP after April 8, 2014, should not be considered to be protected.”

Accurate Measure


Range of motion measurement in an easy-to-use application.

By Dan Fleury, PT, DPT

As health care evolves and therapists are challenged to become more efficient, we often turn to technology for help. I have recently learned about GetMyROM application from Interactive Medical Productions. Released in 2011, the GetMyROM application appealed to me because it addressed one of the most time consuming aspects of information gathering during the initial evaluation.

Obtaining accurate baseline and follow up range of motion (ROM) measures can have a variety of implications, but specifically affect two issues that are vital in our business—payment and utilization management. Decisions over payment often hinge on the ability to accurately measure impairments, and this tool provides a quick and easy method for accomplishing that.

GetMyROM is a digital inclinometer that uses the iPhone screen to display the measurements. The app zeroes the starting angle of a measurement, giving you a true angle of measurement from your starting point—a unique feature. For example, if you are checking knee ROM, and the knee resting position is not exactly 0 degrees, the app adjusts by subtracting the starting ROM from the ending ROM and providing the true range.

The app also allows data storage for retrieval, as well as left and right, specific joint, and direction of movement measured. There is a handy clock indicator to assist you in positioning the iPhone while taking measurements. The cost of the app is $2.99—far less expensive than a traditional inclinometer priced between $50 to $60. The one drawback: You need an iPhone! Overall, the app is self-explanatory but help features and online videos assist those who are not so technically inclined.

Dan Fleury, PT, DPT, is an Impact editorial board member and a partner with Pinnacle Rehabilitation Network in Amesbury, Massachusetts. He can be reached at

Copyright © 2018, Private Practice Section of the American Physical Therapy Association. All Rights Reserved.