HIPAA: Double Lock Rule

Making sure your client files are secure is never something to be taken lightly. No matter how small or large your practice may be, making sure they are protected also protects you. But, with technology, “file” has taken on a whole new level of complexity. So, how do we protect our client confidential information? One way is through the Double Lock Rule.

Double Lock Rule (DLR): all information should only be accessible after accessing them through two locks

Paper Files

When it comes to paper files, the DLR applies to physical locks. For files you keep in your office, they should be kept in a locked cabinet behind a locked door. One thing people don’t always consider is transporting these files. I often take files home to work on. There just aren’t enough hours in the day! When placing files in your car, the DLR still applies.  The files should be places in a locked file box, then locked into the trunk of your car. [See the bottom of this post for an example of how I made this happen for < $20 ]

Digital Files

Many of us are working to go “digital” now. This means keeping your notes, client files, data and more on your laptop or tablet device. But the DLR still applies! All devices (laptops, iPads, etc) should all be password protected. If you password protect the files as well it increases the security of that information further. The devices should also be kept physically secured- in a trunk or in a locked office, for example. For many clinicians, you aren’t always using only one device for files. To make this more manageable, many therapists use either USB drives or cloud drives. USB drives follow the same DLR as paper files and devices. Locking the files on the USB drive and then locking them into your office or in a locked file box in your trunk. Cloud drives on the other hand…

Many cloud drives do not follow  HIPAA guidelines, no matter how you secure the information. Some popular cloud drive services are Google Drive and Dropbox. However, neither of these services are actually HIPAA safe. Google Drive doesn’t qualify because their level of security is not up to par. And quite frankly, they make me quite nervous with frequent changes to their privacy policies and Terms of Service. They claims “what’s yours is yours”, but that doesn’t mean they cannot see the information. Dropbox also is not HIPAA safe- mainly because they have access to your file metadata. What does that mean? One example is that they can see the titles of all of your documents. So, if you save any files with a client name, Dropbox employees have access to it. This disqualifies them from our consideration as “following HIPAA guidelines”.

So what is a technologically savvy therapist to do when they want to depend on a  cloud service? You have two options that come with “free” accounts and both claim to meet HIPAA guidelines. Box.net and SpiderOak both claim to have security in place to protect your client’s privacy and comply with HIPAA. Research them and see if they can work for you and your practice!


Ok, that was a LOT of information, but what can you do now to improve the security of your client information? Begin employing the DLR as soon as possible. This is the quickest way to begin securing information for client safety and your own protection.  I had a good lesson in being careful with confidentiality laws a few weeks ago. Thankfully I learned the lesson WITHOUT breaching anyone’s confidential information! My husband and I live in a very safe, older neighborhood (we’re the youngest by a good 15 years) with very nosy neighbors. Everyone knows everyone else’s business, which is nice because it keeps the area “close-knit” and safe. That was until a few weeks ago when, in the middle of the night, someone smashed in the window on my husband’s Camry and stole my purse. We’re thankful they took the purse – it is simply a material item and it left me, my husband and baby all safe. But it really made me stop and think about how often my client files are in the car. Especially now that I am running my private practice, my car often is my office. I never leave files in my car overnight, but they are often in the car ALL day. I reviewed some of the talks from the conference and went to Wal-mart that same day. I bought a lockable file box, a lock and some hanging folders for my client files plus spare paperwork I may need while out on the run (applications, data sheets, etc.). It is large enough that I can slip in my laptop, iPad and USB jump drives. Everything locked up, in the trunk and it cost me around $20.


How can you be more HIPAA savvy by employing the Double Lock Rule today?

– Tara, the SpeechyKeenSLP

Social tagging: > > > > > > >

One Response to HIPAA: Double Lock Rule

  1. Victoria says:

    Where did the DLR originate from in the first place? What law or whose rule?

Leave a Reply