Heads up: Security checks are not enough.
As the number of anesthesia practices moving to electronic health records (EHR) grows, so does the opportunity for HIPAA violations. The good news is there are ways to prevent your practice become one of the HIPAA violation case studies. Start by posing the questions that follow to the developers setting up your EHR system, based on information from the HHS Office of the National Coordinator for Health Information Technology’s (ONC) newly updated “Guide to Privacy and Security of Electronic Health Information” (go to www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf).
1. When my health IT developer installs its software for my practice, does its implementation process address the security features listed below for my practice environment?
2. Will the health IT developer train my staff on the above features so my team can update and configure these features as needed?
3. How much of my health IT developer’s training covers privacy and security awareness, requirements and functions?
4. How does my backup and recovery system work?
5. When my staff is trying to communicate with the health IT developer’s staff, how will each party authenticate its identity? For example, how will my staff know that an individual who contacts them is the health IT developer representative and not a hacker trying to pose as such?
6. How much remote access will the health IT developer have to my system to provide support and other services? How will this remote access be secured?
7. If I want to securely email with my patients, will this system enable me to do that as required by the HIPAA Security Rule?
Resource: For a full interview template for questioning health IT developers, go to www.healthit.gov/sites/default/files/privacy-security/Questions-for-EHR-Developers-2015-04.pdf.