If you plan to do any electronic transmission of client records (e.g., submitting insurance claims electronically), you have to comply with HIPAA standards to maintain the security of client records. Even if you don't plan to transmit records electronically, it's still a good idea to take security precautions with client records.
Client records fall into two categories: hard-copy paper records, and electronic records. Paper records should be double locked, meaning they should be kept in a locking file box or cabinet in a locked office (or home). Most filing cabinets have locks - you just need to use them! If you move records between locations, or don't have enough to warrant a filing cabinet, you can get a file box like this one.
I like that it has combinations (rather than a key that could get lost). It's a bit heavy, but that is probably a good sign when it comes to security - reinforced edges and walls mean that it would be hard to break open by sheer force.
When it comes to electronic records, at minimum they need to be kept in a password-protected file. It is better to encrypt them. Any mobile platforms (e.g., a USB flashdrive) should be encrypted, and so should emails that contain protected health information. I found a free program that is actually pretty user friendly that allows me to create encrypted drives on my computer, encrypt mobile technology, and send encrypted email. It's called Cypherix LE.
Of course, if you use electronic medical records software, it probably has encryption built into it - but that's a feature to find out about if you're considering and comparing software.
Does anyone know of other useful security products or features? Or security considerations I'm not thinking of?