Computer (individual login's for each person) Minimum access to only those with "need" to know. Full encryption for emails with ANY PHI. Email addresses alone are considered a part of PHI. Fax machine (not accessible to any one w/out need to know) charts kept behind counters, papers/and all PHI related things should also not be left out. Filing cabinets with patient files and PHI MUST be locked and kept away from those w/out need to access. Those are just a few things.. I'm sure I left out a lot.. There should be a full, and well - documented compliance plan along with office polices and procedures. Also important is to consult with HIPAA regulations and first determine if you are a covered entity or a business associate. Some billing companies (depending on their services) are covered entities along with clearinghouses. Know all aspects of HIPPA and general compliance, put a plan in action, document it and follow.