Practice Management Alert

Clip and Save:

Ensure HIPAA Compliance with 7 EHR Development Questions

Don’t stop with security checks. 

With more and more practices moving to electronic health records (EHR), the opportunities for HIPAA violations increase. Don’t let your practice become one of the HIPAA violation case studies. Posing the right questions to the developers setting up your EHR system it crucial to protect your practice. 

Ask your EHR vendor or health IT developer the following questions, according to the HHS Office of the National Coordinator for Health Information Technology’s (ONC) newly updated “Guide to Privacy and Security of Electronic Health Information” (go to www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf).

1. When my health IT developer installs its software for my practice, does its implementation process address the security features listed below for my practice environment?

  • ePHI encryption
  • Auditing functions
  • Backup and recovery routines
  • Unique user IDs and strong passwords
  • Role- or user-based access controls
  • Auto time-out
  • Emergency access
  • Amendments and accounting of disclosures

2. Will the health IT developer train my staff on the above features so my team can update and configure these features as needed?

3. How much of my health IT developer’s training covers privacy and security awareness, requirements and functions?

4. How does my backup and recovery system work?

  • Where is the documentation?
  • Where are the backups stored?
  • How often do I test this recovery system?

5. When my staff is trying to communicate with the health IT developer’s staff, how will each party authenticate its identity? For example, how will my staff know that an individual who contacts them is the health IT developer representative and not a hacker trying to pose as such?

6. How much remote access will the health IT developer have to my system to provide support and other services? How will this remote access be secured?

7. If I want to securely email with my patients, will this system enable me to do that as required by the HIPAA Security Rule?

Resource: For a full interview template for questioning health IT developers, go to www.healthit.gov/sites/default/files/privacy-security/Questions-for-EHR-Developers-2015-04.pdf