How to Stay HIPAA Compliant During a Healthcare Office Move

A successful move protects patients, preserves operations, and keeps you compliant. This guide shows you exactly how to stay HIPAA compliant during a healthcare office move, from securing PHI in transit to validating safeguards after you reopen.

Use these steps to control risk, document decisions, and maintain continuity of care while you transition to your new location.

Secure Transport of PHI

Begin with an inventory of all locations where PHI resides—exam rooms, file rooms, scanners, copiers, servers, and clinician devices. Map what will move, what will be decommissioned, and who is authorized to handle each category.

• Establish a documented Chain-of-Custody for every container, device, and media item that may hold PHI. Record seal numbers, handlers, timestamps, and transfer points.
• Package records in locked, tamper-evident containers; limit keys to a short, named list. Keep containers out of public view and never leave them unattended.
• Schedule direct, point-to-point transport with vetted staff or a vendor under Business Associate Agreements. Use unmarked vehicles and preplanned secure routes.
• Apply the minimum necessary standard: move only what you must, and separate PHI from general office materials.
• Stage a receiving area at the new site with controlled access, reconcile manifests immediately, and investigate any discrepancy before containers are opened.

Update HIPAA Documentation

Update your written program so that policies match the new environment. Revise roles, contact information, floor plans, and procedures tied to the new office design and workflows.

• Refresh your Notice of Privacy Practices with the new address, effective date, and updated contact channels. Post it prominently and provide it per your intake process.
• Run and document a Security Risk Assessment tailored to the new location, including data flows, asset inventory, threats, vulnerabilities, and risk treatment plans.
• Revise Facility Access Controls: door hardware, badge rights, visitor sign-in, escort rules, and after-hours procedures.
• Update device and media controls, workstation security, disposal, and incident response procedures to reflect new floor plans and equipment placement.
• Align Emergency & Contingency Plans with the new site—contacts, utilities, failover locations, downtime workflows, and restoration priorities.

Safeguard ePHI During Transition

ePHI protection hinges on hardened endpoints, secured networks, and tested recoverability throughout the move. Lock down portable media and establish cutover windows with clear rollback paths.

• Enable Encrypted Storage on all servers, laptops, and removable media. Enforce strong authentication, MFA, and automatic screen locks before, during, and after transport.
• Use a temporary staging network with strict segmentation, least-privilege access, and logged administrative actions. Prohibit default passwords and disable unused services.
• Back up systems with offline or immutable copies. Perform test restores before decommissioning any old infrastructure and again after systems are live at the new site.
• Transport servers and drives in locked cases with shock indicators and Chain-of-Custody logs. Verify integrity and access controls before reconnecting to production.
• Coordinate EHR cutover: freeze nonessential changes, validate interfaces, and keep a downtime kit so clinicians can continue care if activation slips.

Protect Paper Records

Paper remains a high-risk medium during moves. Treat it like cash: count it, lock it, supervise it, and reconcile it immediately at the destination.

• Organize by retention schedule and sensitivity. Assign unique container IDs and maintain a packing index stored separately from the boxes.
• Use locked, tamper-evident containers; apply seal numbers to the manifest. Restrict handling to trained personnel under supervision.
• Keep PHI containers separated from general freight. Load last, unload first, and move directly to the secured records room at the new site.
• At arrival, confirm seal integrity, reconcile counts, and file immediately in access-controlled areas. Update your records tracking system the same day.
• For disposals, use a shredding vendor under Business Associate Agreements and retain certificates of destruction with the move file.

Inform Patients Securely

Plan patient communications to ensure continuity without exposing PHI. Keep messages factual and limited to operational details.

• Notify once the new address and go-live date are confirmed—ideally 30–60 days in advance—and again in appointment reminders near the move.
• Prefer secure channels such as the patient portal for broad notices. When using mail or phone, avoid including diagnoses or other PHI.
• Use clear language: new address, directions, parking, date services begin, and how to reach you for urgent needs. Offer accessibility options and translations where appropriate.
• Update signage, phone greetings, forms, and your Notice of Privacy Practices so patients encounter consistent information across touchpoints.

Review Business Associate Agreements

Any vendor that may access PHI during the move must be covered by Business Associate Agreements before work starts. Confirm scope and safeguards in writing.

• Identify affected vendors: movers, IT services, EHR hosting, device disposal, storage, telecom, copier and scanner maintenance, and shredding.
• Ensure BAAs specify permitted uses, safeguards, subcontractor flow-down, breach reporting expectations, and termination/return-or-destruction terms.
• Perform due diligence: insurance verification, security questionnaires, and documented on-site protocols. Limit vendor access to the minimum necessary.
• Keep executed BAAs, Chain-of-Custody logs, and certificates of destruction with your move documentation for audit readiness.

Conduct Post-Move HIPAA Review

Validate that safeguards work as designed in the new environment. Close gaps quickly and capture lessons learned to strengthen future moves.

• Update your Security Risk Assessment for the new site and document risk treatments and owners. Reconcile the asset inventory and device locations.
• Test Facility Access Controls, alarms, cameras, and visitor logging. Confirm screen privacy, workstation placement, and automatic logoff settings.
• Verify backups, restoration, network segmentation, VPN/MFA enforcement, and interface connectivity. Decommission legacy systems securely.
• Provide a brief refresher training focused on the new layout, emergency routes, and incident reporting. Monitor for misdirected mail or faxes from the old address.
• Finalize documentation: update Emergency & Contingency Plans, archive Chain-of-Custody records, and record a formal post-move review with corrective actions.

A disciplined plan, tight documentation, and vigilant follow-through keep your move smooth and compliant. By controlling transport, updating policies, securing ePHI and paper, aligning BAAs, and auditing the new site, you protect patients and your organization.

FAQs

How can PHI be secured during transport?

Use locked, tamper-evident containers, maintain a detailed Chain-of-Custody, limit handlers to trained staff or vetted vendors under BAAs, and move directly from secure origin to secure destination with immediate reconciliation on arrival.

What documentation needs updating after an office move?

Refresh your Notice of Privacy Practices, Security Risk Assessment, Facility Access Controls, device and media policies, incident response, and Emergency & Contingency Plans. Update contacts, floor plans, and asset inventories to reflect the new site.

How should ePHI be protected during transition?

Encrypt all devices and media, enforce MFA and VPN, segment any staging networks, keep offline or immutable backups with test restores, and transport servers or drives in locked cases with documented custody and validation before production use.

When should patients be notified about the relocation?

Notify patients once the new address and go-live date are confirmed—ideally 30–60 days ahead—and reinforce via appointment reminders near the move. Share only operational details and use secure channels like the patient portal when possible.