(201) 765-7171 Talk to a Specialist
(201) 555-0100 Browse Catalog
Back to Resources
Compliance · · 1 min read

HIPAA Compliance for DME Suppliers: A Practical Checklist

By BG Clear Team

Why HIPAA Matters for DME

Every time a DME supplier processes an order, they handle protected health information (PHI) — patient names, diagnoses, insurance details, home addresses. A single breach can result in fines up to $1.5 million per violation category and permanent damage to your reputation.

The good news: compliance isn’t complicated if you build it into your workflow from the start.

The HIPAA Compliance Checklist for DME Operations

1. Administrative Safeguards

  • Privacy Officer — Designate someone responsible for HIPAA compliance
  • Written policies — Document how PHI is collected, used, stored, and disposed of
  • Staff training — All employees who handle PHI must complete annual HIPAA training
  • Business Associate Agreements (BAAs) — Signed with every vendor that touches PHI (software providers, delivery services, billing companies)
  • Incident response plan — Know what to do if a breach occurs (you have 60 days to notify affected individuals)

2. Physical Safeguards

  • Secure storage — Paper records in locked cabinets, restricted access areas
  • Workstation security — Screens positioned away from public view, automatic screen locks
  • Device controls — Inventory of all devices that access PHI, remote wipe capability
  • Visitor policies — Sign-in logs, escorts in areas where PHI is accessible

3. Technical Safeguards

  • Encryption — PHI must be encrypted in transit (email, file transfers) and at rest (stored data)
  • Access controls — Unique user IDs, role-based permissions, automatic logoff
  • Audit logs — Track who accesses PHI and when
  • Secure email — Standard email is NOT HIPAA-compliant. Use encrypted email services for patient communications
  • Multi-factor authentication — Required for any system containing PHI

Common HIPAA Mistakes in DME

These are the violations we see most often in the DME space:

  1. Faxing orders to the wrong number — Always verify fax numbers. Better yet, switch to secure electronic ordering.
  2. Discussing patients in open areas — Delivery drivers, warehouse staff, and office visitors can all overhear PHI.
  3. Unsecured email — Sending patient info via Gmail or Outlook without encryption is a violation.
  4. No BAA with software vendors — If your inventory system or CRM stores patient data, you need a BAA.
  5. Improper disposal — Shredding isn’t optional. Paper records, old hard drives, and even sticky notes with patient info must be properly destroyed.

What to Do After a Breach

If you discover a potential breach:

  1. Contain it immediately — Secure the affected systems or records
  2. Document everything — What happened, when, what PHI was involved, how many individuals affected
  3. Assess the risk — Was the PHI encrypted? Was it actually viewed or just exposed?
  4. Notify — Affected individuals within 60 days, HHS if more than 500 individuals affected
  5. Review and improve — Update policies to prevent recurrence

BG Clear’s HIPAA Commitment

We take patient privacy seriously. Our HIPAA compliance program includes:

  • End-to-end encryption on all order communications
  • Annual staff training and certification
  • Signed BAAs with all technology and logistics partners
  • Regular security audits and risk assessments
  • Secure, SOC 2-compliant data infrastructure

Questions about HIPAA compliance in your DME workflow? Contact us — we’re happy to share what we’ve learned.