Anesthesia Coding Alert

Patient Privacy:

Answer These 7 Questions to Keep on Track With HIPAA Compliance

Heads up: Security checks are not enough.

As the number of anesthesia practices moving to electronic health records (EHR) grows, so does the opportunity for HIPAA violations. The good news is there are ways to prevent your practice become one of the HIPAA violation case studies. Start by posing the questions that follow to the developers setting up your EHR system, based on information from the HHS Office of the National Coordinator for Health Information Technology’s (ONC) newly updated “Guide to Privacy and Security of Electronic Health Information” (go to www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf).

1. When my health IT developer installs its software for my practice, does its implementation process address the security features listed below for my practice environment?

  • ePHI (electronic personal health information) encryption
  • Auditing functions
  • Backup and recovery routines
  • Unique user IDs and strong passwords
  • Role- or user-based access controls
  • Auto time-out
  • Emergency access
  • Amendments and accounting of disclosures.

2. Will the health IT developer train my staff on the above features so my team can update and configure these features as needed?

3. How much of my health IT developer’s training covers privacy and security awareness, requirements and functions?

4. How does my backup and recovery system work?

  • Where is the documentation?
  • Where are the backups stored?
  • How often do I test this recovery system?

5. When my staff is trying to communicate with the health IT developer’s staff, how will each party authenticate its identity? For example, how will my staff know that an individual who contacts them is the health IT developer representative and not a hacker trying to pose as such?

6. How much remote access will the health IT developer have to my system to provide support and other services? How will this remote access be secured?

7. If I want to securely email with my patients, will this system enable me to do that as required by the HIPAA Security Rule?

Resource: For a full interview template for questioning health IT developers, go to www.healthit.gov/sites/default/files/privacy-security/Questions-for-EHR-Developers-2015-04.pdf.


Other Articles in this issue of

Anesthesia Coding Alert

View All