drcrhono’s privacy and security guide - drchrono · web viewone of these requirements is related...

drcrhono’s Privacy and Security Guide 2

Introduction

In order to achieve Stage 1 of Meaningful Use, eligible professionals must attest that they have met certain requirements related to the use of certified Electronic Health Record Technology. One of these requirements is related to privacy and security.

Please use this as a guide to complete your security risk analysis. drchrono does not attempt to interpret federal or state requirements for your practice, and each risk should be examined in the context of your organization before attesting for Meaningful Use.

Core Requirement 15

Objective: Protect electronic health information related or maintained by the certified EHR technology through the implementation of appropriate technical capabilities

Measure: Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

What do I have to do?

1. Risk Analysis. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

2. Risk Management. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

3. Sanction policy. Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity

4. Information system activity review. Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.


How to

ONC has released several helpful documents to guide eligible professionals complete the four requirements above. We have compiled some of this documentation in the guide below. We suggest that you print this document out, complete each section, and keep it on file in case of audit and for use in future security analysis.

Page 4… Assess Confidentiality Risks

Page 6… Assess Integrity Risks

Page 7… Assess Availability Risks

Page 8… Identify Administrative Safeguards

Page 10… Identify Physical Safeguards

Page 11… Identify Technical Safeguards

Page 13… Sanction Policy

Page 15… Audit Log

References

drchrono's MU Page

*HIPAA Security Reminder - Sanction Policy

HealthIT's Guide to Privacy and Security of Health Information

Small Practice Security Guide

http://www.healthit.gov/sites/default/files/small-practice-security-guide-1.pdf

http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf

http://abouthipaa.com/hipaa-and-it-security/hipaa-security-reminder-sanction-policy/

https://www.drchrono.com/meaningful-use-ehr/


Assessing Confidentiality Risks

Question drchrono’s thoughts Comments InitialsWhat new electronic health information (EHI) has been introduced into my practice because of EHRs? Where will that electronic health information reside?

We recommend that you take advantage of our partnership with box to securely store all electronic health information.

Who in my office will have access to EHRs and the EHI contained within them?

Under Account > Permissions, you can set all access settings for your users.

Should all employees with access to EHRs have the same level of access?

Each user within your practice, as designated by an administrator, can have unique and individual security settings.

Will I permit my employees to have EHI on mobile computing/storage equipment? If so, do they know how, and do they have the resources necessary, to keep electronic health information secure on these devices?

We recommend that you take advantage of our partnership with box to securely store all electronic health information. If you need to store scanned documents before uploading to box, these should be deleted after the upload.

How will I know if EHI has been accidentally or maliciously disclosed to an unauthorized person?

On drchrono’s website, go to Clinical > Audit Log to view all activity and access in the practice.

When I upgrade my computer storage equipment, will EHI be properly erased from the old storage equipment

Since drchrono is web-based, no patient health information should be stored locally.


before I dispose of it?Are my backup facilities secured (computers, tapes, offices, etc., used to backup EHRs and other health IT)?

Again, there should be no local backups necessary using a web-based EHR like drchrono.

Will I be sharing EHRs, or EHI contained in EHRs, with other health care entities through an HIO? If so, what security policies do I need to be aware of?

Any data shared with other health care entities in an HIO should be secured, and any policies regarding security should be agreed upon before sharing.

If my EHR is capable of providing my patients with a way to access their health record/information via the Internet (e.g., through a portal), am I familiar with the security requirements that will protect my patients EHI before I implement that feature?

drchrono’s patient portal, OnPatient, is secured through the same requirements as drchrono’s EHR to ensure the standards of EHI security are met

Will I communicate with my patients electronically (e.g. through a portal or email)? Are those communications secured?

Patient communications made through OnPatient are secured to standard, though communications made by e-mail are not secured to the same standards.

If I offer my patients a method of communicating with me electronically how will I know that I am communicating with the right patient?

Patient enrollment and login to OnPatient requires unique identification and authorization.


Assessing Integrity Risks

Question drchrono’s thoughts Comments InitialsWho in my office will be permitted to create or modify an EHR, or EHI contained in the EHR?

Under Account > Permissions, you can set all access settings for your users.

How will I know if an EHR, or the EHI in that EHR, has been altered or deleted?


If I participate in an HIO, how will I know if the health information I exchange is altered in an unauthorized manner?


If my EHR system is capable of providing my patients with a way to access their health record/information via the Internet (e.g. through a portal) and I implement that feature, will my patients be permitted to modify any of the health information within that record? If so, what information?

Patient information entered through OnPatient is stored separately from clinician-entered information, and only appropriate clinical users have the ability to enter that patient information in the EHR.


Assessing Availability Risks

Question drchrono’s thoughts Comments InitialsHow will I ensure that EHI, regardless of where it resides, is readily available to me and my employees for authorized purposes, including after normal office hours?

Since drchrono is web-based, it can be accessed from the computer or iPad wherever there is an internet connection!

Do I have a backup strategy for my EHRs in the event of an emergency, or to ensure I have access to patient information if the power goes out of my computer crashes?

In case of computer crash, you can always use a different computer! In case of server downtime, check status.drchrono.com for real-time updates.

If I participate in an HIO, does it have performance standards regarding network availability?

Since drchrono is web-based, it can be accessed from the computer or iPad wherever there is an internet connection! Network availability could affect performance but should never affect security.

If my EHR system is capable of providing my patients with a way to access their health record/information via the internet (e.g. through a portal) and I implement that feature, will I allow 24/7 access?

OnPatient is available to patients 24/7!


Identifying Administrative Safeguards

Question drchrono’s thoughts Comments InitialsHave I updated my internal information security processes to include the use of EHRs, connectivity to HIOs, offering portal access to patients, and the handling and management of EHI in general?

By completing periodic review of the above analysis and reacting appropriately, you are updating your security processes.

Have I trained my employees on the use of EHRs? Other electronic health information related technologies that I plan to implement? Do they understand the importance of keeping EHI protected?

Each user is able to join in drchrono’s training during implementation. You should also review your sanction policy with each employee.

Have I identified how I will periodically assess my use of health IT to ensure my safeguards are effective?

You can print this document out periodically and use it as a tool to maintain security.

As employees enter and leave my practice, have I defined processes to ensure electronic health information access controls are updated accordingly?

By managing staff and permissions in drchrono, you can make sure all information access controls are updated appropriately.

Have I developed a security incident response plan so that my employees know how to respond to a potential security incident involving EHI (e.g. unauthorized access to an EHR, corrupted EHI)?

In case of a breach of security, designated administrators can update password information, review audit logs, and communicate with any patients whose records may have been breached.


Have I developed processes that outline how EHI will be backed-up or stored outside of my practice when it is no longer needed (e.g. when a patient moves and no longer receives care at the practice)?

Again, since drchrono is web-based, there should be no local storage necessary. You are able to mark patients as inactive to designate when patients no longer receive care.

Have I developed contingency plans so that my employees know what to do if access to EHRs and other EHI is not available for an extended period of time?

Since drchrono is web-based, it can be accessed from the computer or iPad wherever there is an internet connection!

Have I developed processes for securely exchanging electronic health information with other health care entities?

Please review our terms of service online if you have any questions.

Have I developed processes that my patients can use to securely connect to a portal? Have I developed processes for proofing the identity of my patients before granting them access to the portal?

Patients must present a unique identifier captured in drchrono and go through a two-step authorization process including patient and provider to enable access to OnPatient.

Do I have a process to periodically test my health IT backup capabilities, so that I am prepared to execute them?

Again, since drchrono is web-based, there should be no local storage necessary.

If equipment is stolen or lost, have I defined processes to respond to the theft or loss?

No PHI should ever be stored on local equipment, but it’s always smart to change your password in case of theft!


Identifying Physical Safeguards

Question drchrono’s thoughts Comments InitialsDo I have basic office security in place, such as locked doors and windows, and an alarm system? Are they being used properly during working and non-working hours?

We hope so!

Are my desktop computing systems in areas that can be secured during non-working hours?

With drchrono’s auto-logoff features, this should not be an issue.

Are my desktop computers out of reach of patients and other personnel not employed by my practice during normal working hours?

Make sure to verify the physical location of any new equipment you may purchase as part of your implementation.

Is mobile equipment (e.g. laptops), used within and outside my office, secured to prevent theft or loss?

Again, drchrono’s website and iPad platforms have auto-logoff functionality, so PHI is secure.

Do I have a documented inventory of approved and known health IT computing equipment within my practice? Will I know if one of my employees is using a computer or media device not approved for my practice?

Any activity is recorded in the Audit Log, but since drchrono is web-based, your users can access it from anywhere, regardless of physical computing equipment locations.

Do my employees implement basic computer security principles, such as logging out of a computer before leaving it

With drchrono’s auto-logoff features, this should not be an issue.


unattended?


Identifying Technical Safeguards

Question drchrono’s thoughts Comments InitialsHave I configured my computing environment where electronic health information resides using best-practice security settings (enabling a firewall, virus detection, and encryption where appropriate)? Am I maintaining that environment to stay up to date with the latest computer security updates?

Since drchrono is web-based, no patient health information should be stored locally, and security is maintained on the server.

Are there other types of software on my EHI computing equipment that are not needed to sustain my health IT environment (e.g. a music file sharing program), which could put my health IT environment at risk?

The PHI will all reside on the server, so other applications should not be a threat to your secure online drchrono connection.

Is my EHR certified to address industry recognized/best-practice security requirements?

drchrono is ONC-ACTB Certified as a complete EHR product!

Are my health IT applications installed properly, and are the vendor recommended security controls enabled (e.g. computer inactivity timeouts)?

Ensure your logout settings are configured for your iPad.

Is my health IT computing environment up to date with the most recent security updates and

You should always update your equipment with up to date security patches, but all PHI is


patches? protected online.Have I configured my EHR application to require my employees to be authenticated (e.g. username/password) before gaining access to EHR? And have I set their access privileges to electronic health information correctly?

Using drchrono’s authorization and permission features, you can ensure that all privileges to PHI are controlled appropriately.

If I have or plan to establish a patient portal, do I have the proper security controls in place to authenticate the patient (e.g. username/password) before gaining access to the portal and the patient’s EHI? Does the portal’s security reflect industry best-practices?

Patients must present a unique identifier captured in drchrono and go through a two-step authorization process including patient and provider to enable access to OnPatient.

If I have or plan to set up a wireless network, do I have the proper security controls defined and enabled (e.g. known access points, data encryption)?

Since you can access drchrono’s secure website through any wireless network, no special security controls need to be accounted for.

Have I enabled the appropriate audit controls within my health IT environment to be alerted of a potential security incident, or to examine security incidents that have occurred?

Using the Audit Log within drchrono and the Audit Log Review Form below should suffice.


Sanction Policy

You are required to implement and enforce a policy to apply sanctions against members of the workforce who violate the respective regulations.

We suggest you use the sample sanction policy content below as a reference to create your policy and ensure that all employees are knowledgeable of the policy.

Privacy Final Rule Requirement

1. Sanctions. A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity…

2. Implementation Specification. A covered entity must document the sanctions that are applied, if any

Security Final Rule Requirement

1. Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

2. Sanction Policy. Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.


Sample Sanction Policy*

DEFINITION OF OFFENSE :

Class I offenses:

(1) Accessing information that you do not need to know to do your job;

(2) Sharing your computer access codes (user name & password);

(3) Leaving your computer unattended while you are logged into a PHI program;

(4) Sharing PHI with another employee without authorization;

(5) Copying PHI without authorization;

(6) Changing PHI without authorization;

(7) Discussing confidential information in a public area or in an area where the public could overhear

the conversation;

(8) Discussing confidential information with an unauthorized person; or

(9) Failure to cooperate with privacy officer.

Class II offenses:

(1) Second offense of any class I offense (does not have to be the same offense);

(2) Unauthorized use or disclosure of PHI;

(3) Using another person’s computer access codes (user name & password); or

(4) Failure to comply with a resolution team resolution or recommendation.

Class III offenses:

(1) Third offense of any class I offense (does not have to be the same offense);

(2) Second offense of any class II offense (does not have to be the same offense);

(3) Obtaining PHI under false pretenses; or

(4) Using and/or disclosing PHI for commercial advantage, personal gain or malicious harm.

SANCTIONS:

Class I offenses shall include, but are not limited to:

(a) Verbal reprimand;

(b) Written reprimand in employee’s personnel file;

(c) Retraining on HIPAA Awareness;

(d) Retraining on Company's Privacy and Security Policy and how it impacts the said employee and

said employee’s department; or

(e) Retraining on the proper use of internal forms and HIPAA required forms.

Class II offenses shall include, but are not limited to:

(a) Written reprimand in employee’s personnel file;

(b) Retraining on HIPAA Awareness;

(c) Retraining on County’s Privacy Policy and how it impacts the said employee and said employee’s

department;

(d) Retraining on the proper use of internal forms and HIPAA required forms; or

(e) Suspension of employee (In reference to suspension period: minimum of one (1) day/ maximum of

three (3) days).

Class III offenses shall include, but are not limited to:

(a) Termination of employment;


(b) Civil penalties as provided under HIPAA or other applicable Federal/State/Local law; or

(c) Criminal penalties as provided under HIPAA or other applicable Federal/State/Local law.

Audit Log Review

Reviewer Findings Escalation? Date

drcrhono’s privacy and security guide - drchrono · web viewone of these requirements is related...

Documents