Major restructuring is NOT a requirement under this standard. For example, sound proofing of rooms, building new private rooms and encryption of telephone systems is not required.
The Privacy Rule does not require that all risk of protected health information disclosure be eliminated. Each office must review its own practices and decide what steps are reasonable to safeguard patients' protected health information (PHI). In doing this, potential risks to patient privacy, financial burdens to the practice and common practices need to be considered. Examples of reasonable safeguards would be to install cubicles, dividers, shields, curtains, or similar barriers in areas where multiple staff and provider communications take place. Providers could add curtains or screens to areas where discussions often occur between doctors and patients.