HIPAA Compliance During an Office Move: Step-by-Step Checklist and Best Practices

Secure Transport of PHI

Protecting protected health information (PHI) starts before a single box is moved. Assign a move lead, define roles, and create a written plan that prioritizes chain-of-custody, Physical Access Controls, and minimum necessary handling.

Pre-move preparation

• Inventory where PHI lives (paper files, devices, media) and label containers with non-descriptive IDs—not patient details.
• Vet movers and couriers; require confidentiality agreements and, where applicable, Business Associate Agreements if they will handle PHI or ePHI.
• Prepare tamper-evident, lockable containers; assign seal numbers and a chain-of-custody log for each container.
• Limit access to authorized staff; issue temporary badges and restrict keys; brief staff on do’s/don’ts for PHI handling.

Day-of-move controls

• Stage PHI separately from general office items; load last, unload first, under direct supervision.
• Record seal numbers at pickup and delivery; reconcile counts at every handoff using signed logs.
• Use unmarked vehicles when possible; maintain locked vehicles and secure routes; avoid overnight stops with PHI on board.

Post-arrival verification

• Confirm seals intact; reconcile manifests immediately; escalate any discrepancy via your incident response process.
• Store PHI in secured rooms or cabinets on arrival; update asset and location inventories the same day.

Update HIPAA Documentation

Relocation triggers documentation updates. Refresh policies, logs, and forms so your written program reflects the new environment and responsibilities.

Policies and procedures to revise

• Facility security, visitor management, and Physical Access Controls for the new site (badges, keys, alarms, cameras, visitor logs).
• Workstation security, device and media controls, and disposal procedures aligned to the new floor plan and storage areas.
• Emergency Contingency Plans (backup, disaster recovery, emergency mode operations) with updated contacts and alternate work locations.
• Security Risk Assessment addendum capturing move-related threats and safeguards.

Required notices and records

• Update your Notice of Privacy Practices with the new address and effective date; refresh website, portal, and lobby postings.
• Revise privacy/security officer contact details; update training materials and retain completion records.
• Confirm incident response, breach notification, and sanction procedures reflect new roles and vendors.

Safeguard ePHI During Transition

System moves and EHR migrations concentrate risk. Protect availability, integrity, and confidentiality of ePHI with strong Encryption Standards, controlled access, and comprehensive Audit Logs.

Before migration

• Map systems and data flows; define what moves, what retires, and who owns each step.
• Create verified, offline backups; test restores and document results before cutover.
• Apply device encryption (laptops, drives, servers) and enforce MFA/VPN for remote access.
• Harden staging and destination environments; patch systems; restrict admin access; validate vendor responsibilities.
• Document downtime procedures and Emergency Contingency Plans for appointments, e-prescribing, and results.

During migration

• Encrypt data in transit (e.g., TLS 1.2+ or SFTP) per your Encryption Standards; use dual control for credentials.
• Segment networks for migration traffic; monitor in real time; capture Audit Logs across identity, network, and application layers.
• Freeze nonessential changes; escalate exceptions through a defined change-control path.

After cutover

• Validate data integrity with spot checks and hash/record counts; confirm all interfaces and e-prescribe services function.
• Revoke temporary access; rotate keys and passwords; review user roles for least privilege.
• Confirm backup jobs at the new site; enable centralized log collection; tune alerts for anomalous logins or data movement.
• Sanitize retired media using an industry-standard destruction method and retain certificates.

Protect Paper Records

Paper files often persist even in digital-first practices. Apply strict controls from packing to re-shelving to prevent loss or unauthorized viewing.

• Apply the minimum necessary standard; purge duplicates per retention policy; schedule on-site shredding for unneeded records.
• Pack records in locked, numbered containers; separate keys from containers; document handlers in chain-of-custody logs.
• At the new site, store files in locked, fire-resistant cabinets inside restricted rooms; implement clean-desk and secure printing.
• For mail-in PHI, maintain a designated, supervised intake area and log receipt immediately upon arrival.

Inform Patients Securely

Communications about your new address must be accurate and privacy-preserving. Share only what’s necessary and avoid adding PHI to routine notices.

• Update the Notice of Privacy Practices, website, portal banner, after-hours message, and appointment reminders with the new address and effective date.
• Use sealed letters or portal messages for broad announcements; avoid postcards; do not include diagnoses, test results, or account details.
• When emailing, send to verified addresses and use BCC or a mailing platform that suppresses recipient disclosure.
• Train frontline staff with a script to verify identity before discussing any patient-specific matters related to the move.

Review Business Associate Agreements

Moves often add or change vendors. Ensure Business Associate Agreements reflect scope, locations, and security expectations tied to your relocation.

• Identify BAs involved in the move (IT firms, data migration teams, records storage, shredding, scanning, cloud services).
• Amend BAAs when services or locations change; confirm subcontractor coverage and right-to-audit provisions.
• Require Encryption Standards for data at rest/in transit, defined breach notification timelines, and maintenance of relevant Audit Logs.
• Specify data return/destruction on project completion and require proof (e.g., destruction certificates or sanitized asset reports).

Conduct Post-Move HIPAA Review

Validate that safeguards work as designed in the new setting. Capture evidence you can produce during an inquiry or audit.

30–60-day review checklist

• Walk the facility to confirm Physical Access Controls, camera coverage, visitor workflows, and secure storage are operating.
• Review Audit Logs for abnormal access or data transfers during and after cutover; address findings promptly.
• Update the Security Risk Assessment with residual risks and remediation owners, dates, and success criteria.
• Tabletop-test Emergency Contingency Plans (power loss, network outage, EHR downtime) and record gaps and fixes.
• Deliver post-move training; refresh acknowledgments; verify managers enforce clean-desk and screen-lock practices.

Metrics and evidence to retain

• Asset inventories, chain-of-custody forms, backup/restore reports, and access reviews.
• Policy revisions with effective dates, training rosters, incident logs, and vendor attestations.
• Results from vulnerability scans or penetration tests conducted after the move.

Conclusion

A successful move hardens security, not just relocates it. By planning transport, updating documentation, safeguarding ePHI, controlling paper, communicating carefully, tightening Business Associate Agreements, and completing a post-move review, you maintain HIPAA compliance and protect patient trust.

FAQs.

What are the key HIPAA safeguards during an office move?

Focus on chain-of-custody for PHI, strong Physical Access Controls, encryption for systems and transfers, real-time monitoring with Audit Logs, and clear Emergency Contingency Plans. Update policies, train staff, and document every control and exception throughout the move.

How should PHI be transported securely in a move?

Use locked, tamper-evident containers with numbered seals; limit handling to authorized staff; maintain chain-of-custody logs at every handoff; and separate PHI from general freight. Reconcile inventories on arrival and secure records immediately at the destination.

When should Business Associate Agreements be updated during relocation?

Amend BAAs when a vendor’s services, locations, or subcontractors change due to the move, or when new vendors handle PHI or ePHI. Ensure terms specify Encryption Standards, breach notification timelines, Audit Logs, and data return or destruction at project end.

How can patients be informed about an address change without compromising privacy?

Provide the new address and effective date via sealed letters, portal messages, website updates, and signage—without including PHI. For email, verify addresses and use BCC. Update the Notice of Privacy Practices and train staff to verify identity before sharing any patient-specific information.