Health Information Compliance Alert

EHRs:

Need To Know: Ask 7 Questions Of Your EHR Developer

Understand the ins and outs of how your backup and recovery system works.

Your electronic health record (EHR) and health IT developers virtually hold your HIPAA compliance in their hands. But do you really understand the privacy and security practices they’re putting into place for you?

To find out, ask your EHR vendor or health IT developer the following questions, according to the HHS Office of the National Coordinator for Health Information Technology’s (ONC) newly updated “Guide to Privacy and Security of Electronic Health Information” (go to www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf).

1. When my health IT developer installs its software for my practice, does its implementation process address the security features listed below for my practice environment?

  •  ePHI encryption
  •  Auditing functions
  •  Backup and recovery routines
  •  Unique user IDs and strong passwords
  •  Role- or user-based access controls
  •  Auto time-out
  •  Emergency access
  •  Amendments and accounting of disclosures

2. Will the health IT developer train my staff on the above features so my team can update and configure these features as needed?

3. How much of my health IT developer’s training covers privacy and security awareness, requirements and functions?

4. How does my backup and recovery system work?

  • Where is the documentation?
  • Where are the backups stored?
  • How often do I test this recovery system?

5. When my staff is trying to communicate with the health IT developer’s staff, how will each party authenticate its identity? For example, how will my staff know that an individual who contacts them is the health IT developer representative and not a hacker trying to pose as such?

6. How much remote access will the health IT developer have to my system to provide support and other services? How will this remote access be secured?

7. If I want to securely email with my patients, will this system enable me to do that as required by the HIPAA Security Rule?

Resource: For a full interview template for questioning health IT developers, go to www.healthit.gov/sites/default/files/privacy-security/Questions-for-EHR-Developers-2015-04.pdf