Question: Our practice's attorney asked us if we've performed an EHR risk analysis yet this year. We don't know what that involves - can you advise?
Codify Subscriber
Answer: To gain peace of mind about your EHR, you can perform a risk analysis. You and your staff can perform the risk analysis, but you may need to have your IT staff involved during any technical aspects.
To perform a thorough risk analysis, you must look at key areas to reveal all the potential ways something can go wrong. Specifically, you should examine what can go wrong to affect the confidentiality, integrity or availability of the electronic protected health information (ePHI).
Of course, your main concern when working with EHRs is protecting data from unauthorized access, breaches and leaks. When performing your risk analysis, the HHS Office of the National Coordinator for Health IT(ONC) recommends that you evaluate the following questions:
- What new ePHI have EHRs introduced into my practice? Where will that ePHI reside?
- Who in my office will have access to EHRs?
- Should all employees have the same level of access to EHRs?
- Will I allow employees to have EHRs or ePHI on their mobile computing/storage devices? If so, how can we keep the data secure on those devices?
- How will I know if ePHI has been accidentally or maliciously disclosed to an unauthorized person?
- When we upgrade our electronic storage equipment (e.g., internal/external hard drives), how will we ensure that ePHI is properly erased from the old storage equipment before disposing of it?
- How will I ensure that backup facilities (e.g., tapes, hard drives, etc.) are secure?
- Will we share EHRs, or the ePHI contained in them, with other health care entities through a Health Information Organization (HIO)? If so, what security policies do I need to be aware of?
- What security requirements exist to protect my patients' health information if my EHR system is capable of providing patients with a way to access their health record/information via the Internet, such as a portal?
- Will I communicate with my patients electronically (e.g., through a portal or email)? Are those communications secured? How will I know that I'm communicating with the right patient?
Another element of your EHR privacy and security is how to ensure that the data contained in the records is accurate and remains unadulterated by unauthorized users. To assess your integrity risks, the ONC recommends that you consider these questions:
- Who in my office will be allowed to create or modify an EHR or the ePHI contained in it?
- How will I know if someone has altered or deleted data in an EHR?
- If I participate in an HIO, how will I know whether the health information I exchange is altered in an unauthorized manner?
- If my EHR system allows patients to access their health record/information online, will I allow patients to modify any of the health information in their EHRs? If so, what information?