Add to collection(s) Add to saved
  1. Science
  2. Health Science

drchrono`s Privacy and Security guide

advertisement 
drcrhono’s Privacy and Security Guide 2
Introduction
In order to achieve Stage 1 of Meaningful Use, eligible professionals must
attest that they have met certain requirements related to the use of certified
Electronic Health Record Technology. One of these requirements is related
to privacy and security.
Please use this as a guide to complete your security risk analysis. drchrono
does not attempt to interpret federal or state requirements for your practice,
and each risk should be examined in the context of your organization before
attesting for Meaningful Use.
Core Requirement 15
Objective: Protect electronic health information related or maintained by
the certified EHR technology through the implementation of appropriate
technical capabilities
Measure: Conduct or review a security risk analysis per 45 CFR
164.308(a)(1) and implement security updates as necessary and correct
identified security deficiencies as part of its risk management process.
What do I have to do?
1. Risk Analysis. Conduct an accurate and thorough assessment of the potential
risks and vulnerabilities to the confidentiality, integrity, and availability of
electronic protected health information held by the covered entity.
2. Risk Management. Implement security measures sufficient to reduce risks and
vulnerabilities to a reasonable and appropriate level.
3. Sanction policy. Apply appropriate sanctions against workforce members who
fail to comply with the security policies and procedures of the covered entity
4. Information system activity review. Implement procedures to regularly
review records of information system activity, such as audit logs, access reports,
and security incident tracking reports.
drcrhono’s Privacy and Security Guide 3
How to
ONC has released several helpful documents to guide eligible professionals complete
the four requirements above. We have compiled some of this documentation in the
guide below. We suggest that you print this document out, complete each section,
and keep it on file in case of audit and for use in future security analysis.
Page 4… Assess Confidentiality Risks
Page 6… Assess Integrity Risks
Page 7… Assess Availability Risks
Page 8… Identify Administrative Safeguards
Page 10… Identify Physical Safeguards
Page 11… Identify Technical Safeguards
Page 13… Sanction Policy
Page 15… Audit Log
References
drchrono's MU Page
*HIPAA Security Reminder - Sanction Policy
HealthIT's Guide to Privacy and Security of Health Information
Small Practice Security Guide
drcrhono’s Privacy and Security Guide 4
Assessing Confidentiality Risks
Question
drchrono’s thoughts
What new electronic
health information (EHI)
has been introduced into
my practice because of
EHRs? Where will that
electronic health
information reside?
Who in my office will have
access to EHRs and the
EHI contained within
them?
Should all employees with
access to EHRs have the
same level of access?
We recommend that
you take advantage of
our partnership with
box to securely store all
electronic health
information.
Under Account >
Permissions, you can
set all access settings
for your users.
Each user within your
practice, as designated
by an administrator, can
have unique and
individual security
settings.
Will I permit my
We recommend that
employees to have EHI on you take advantage of
mobile computing/storage our partnership with
equipment? If so, do they box to securely store all
know how, and do they
electronic health
have the resources
information. If you need
necessary, to keep
to store scanned
electronic health
documents before
information secure on
uploading to box, these
these devices?
should be deleted after
the upload.
How will I know if EHI has On drchrono’s website,
been accidentally or
go to Clinical > Audit
maliciously disclosed to an Log to view all activity
unauthorized person?
and access in the
practice.
When I upgrade my
Since drchrono is webcomputer storage
based, no patient health
equipment, will EHI be
information should be
properly erased from the
stored locally.
old storage equipment
Comments
Initials
drcrhono’s Privacy and Security Guide 5
before I dispose of it?
Are my backup facilities
secured (computers, tapes,
offices, etc., used to
backup EHRs and other
health IT)?
Will I be sharing EHRs, or
EHI contained in EHRs,
with other health care
entities through an HIO? If
so, what security policies
do I need to be aware of?
If my EHR is capable of
providing my patients
with a way to access their
health record/information
via the Internet (e.g.,
through a portal), am I
familiar with the security
requirements that will
protect my patients EHI
before I implement that
feature?
Will I communicate with
my patients electronically
(e.g. through a portal or
email)? Are those
communications secured?
If I offer my patients a
method of communicating
with me electronically
how will I know that I am
communicating with the
right patient?
Again, there should be
no local backups
necessary using a webbased EHR like
drchrono.
Any data shared with
other health care
entities in an HIO
should be secured, and
any policies regarding
security should be
agreed upon before
sharing.
drchrono’s patient
portal, OnPatient, is
secured through the
same requirements as
drchrono’s EHR to
ensure the standards of
EHI security are met
Patient communications
made through
OnPatient are secured
to standard, though
communications made
by e-mail are not
secured to the same
standards.
Patient enrollment and
login to OnPatient
requires unique
identification and
authorization.
drcrhono’s Privacy and Security Guide 6
Assessing Integrity Risks
Question
drchrono’s thoughts
Who in my office will be
permitted to create or
modify an EHR, or EHI
contained in the EHR?
Under Account >
Permissions, you can
set all access settings
for your users.
How will I know if an EHR,
or the EHI in that EHR, has
been altered or deleted?
On drchrono’s website,
go to Clinical > Audit
Log to view all activity
and access in the
practice.
On drchrono’s website,
go to Clinical > Audit
Log to view all activity
and access in the
practice.
Patient information
entered through
OnPatient is stored
separately from
clinician-entered
information, and only
appropriate clinical
users have the ability
to enter that patient
information in the EHR.
If I participate in an HIO,
how will I know if the
health information I
exchange is altered in an
unauthorized manner?
If my EHR system is
capable of providing my
patients with a way to
access their health
record/information via the
Internet (e.g. through a
portal) and I implement
that feature, will my
patients be permitted to
modify any of the health
information within that
record? If so, what
information?
Comments
Initials
drcrhono’s Privacy and Security Guide 7
Assessing Availability Risks
Question
drchrono’s thoughts
How will I ensure that EHI,
regardless of where it
resides, is readily available
to me and my employees
for authorized purposes,
including after normal
office hours?
Do I have a backup
strategy for my EHRs in the
event of an emergency, or
to ensure I have access to
patient information if the
power goes out of my
computer crashes?
Since drchrono is webbased, it can be
accessed from the
computer or iPad
wherever there is an
internet connection!
If I participate in an HIO,
does it have performance
standards regarding
network availability?
If my EHR system is
capable of providing my
patients with a way to
access their health
record/information via the
internet (e.g. through a
portal) and I implement
that feature, will I allow
24/7 access?
In case of computer
crash, you can always
use a different
computer! In case of
server downtime,
check
status.drchrono.com
for real-time updates.
Since drchrono is webbased, it can be
accessed from the
computer or iPad
wherever there is an
internet connection!
Network availability
could affect
performance but
should never affect
security.
OnPatient is available
to patients 24/7!
Comments
Initials
drcrhono’s Privacy and Security Guide 8
Identifying Administrative Safeguards
Question
drchrono’s thoughts
Have I updated my internal
information security
processes to include the
use of EHRs, connectivity
to HIOs, offering portal
access to patients, and the
handling and management
of EHI in general?
Have I trained my
employees on the use of
EHRs? Other electronic
health information related
technologies that I plan to
implement? Do they
understand the importance
of keeping EHI protected?
Have I identified how I will
periodically assess my use
of health IT to ensure my
safeguards are effective?
By completing periodic
review of the above
analysis and reacting
appropriately, you are
updating your security
processes.
As employees enter and
leave my practice, have I
defined processes to
ensure electronic health
information access
controls are updated
accordingly?
Have I developed a
security incident response
plan so that my employees
know how to respond to a
potential security incident
involving EHI (e.g.
unauthorized access to an
EHR, corrupted EHI)?
Each user is able to join
in drchrono’s training
during implementation.
You should also review
your sanction policy
with each employee.
You can print this
document out
periodically and use it
as a tool to maintain
security.
By managing staff and
permissions in
drchrono, you can
make sure all
information access
controls are updated
appropriately.
In case of a breach of
security, designated
administrators can
update password
information, review
audit logs, and
communicate with any
patients whose records
may have been
breached.
Comments
Initials
drcrhono’s Privacy and Security Guide 9
Have I developed
processes that outline how
EHI will be backed-up or
stored outside of my
practice when it is no
longer needed (e.g. when a
patient moves and no
longer receives care at the
practice)?
Have I developed
contingency plans so that
my employees know what
to do if access to EHRs and
other EHI is not available
for an extended period of
time?
Have I developed
processes for securely
exchanging electronic
health information with
other health care entities?
Have I developed
processes that my patients
can use to securely connect
to a portal? Have I
developed processes for
proofing the identity of my
patients before granting
them access to the portal?
Do I have a process to
periodically test my health
IT backup capabilities, so
that I am prepared to
execute them?
If equipment is stolen or
lost, have I defined
processes to respond to the
theft or loss?
Again, since drchrono
is web-based, there
should be no local
storage necessary. You
are able to mark
patients as inactive to
designate when
patients no longer
receive care.
Since drchrono is webbased, it can be
accessed from the
computer or iPad
wherever there is an
internet connection!
Please review our
terms of service online
if you have any
questions.
Patients must present a
unique identifier
captured in drchrono
and go through a twostep authorization
process including
patient and provider to
enable access to
OnPatient.
Again, since drchrono
is web-based, there
should be no local
storage necessary.
No PHI should ever be
stored on local
equipment, but it’s
always smart to change
your password in case
of theft!
drcrhono’s Privacy and Security Guide 1
0
Identifying Physical Safeguards
Question
Do I have basic office
security in place, such as
locked doors and windows,
and an alarm system? Are
they being used properly
during working and nonworking hours?
Are my desktop computing
systems in areas that can
be secured during nonworking hours?
Are my desktop computers
out of reach of patients and
other personnel not
employed by my practice
during normal working
hours?
Is mobile equipment (e.g.
laptops), used within and
outside my office, secured
to prevent theft or loss?
Do I have a documented
inventory of approved and
known health IT
computing equipment
within my practice? Will I
know if one of my
employees is using a
computer or media device
not approved for my
practice?
Do my employees
implement basic computer
security principles, such as
logging out of a computer
before leaving it
drchrono’s thoughts
We hope so!
With drchrono’s autologoff features, this
should not be an issue.
Make sure to verify the
physical location of any
new equipment you
may purchase as part
of your
implementation.
Again, drchrono’s
website and iPad
platforms have autologoff functionality, so
PHI is secure.
Any activity is recorded
in the Audit Log, but
since drchrono is webbased, your users can
access it from
anywhere, regardless
of physical computing
equipment locations.
With drchrono’s autologoff features, this
should not be an issue.
Comments
Initials
drcrhono’s Privacy and Security Guide 1
1
unattended?
drcrhono’s Privacy and Security Guide 1
2
Identifying Technical Safeguards
Question
drchrono’s thoughts
Have I configured my
computing environment
where electronic health
information resides using
best-practice security
settings (enabling a
firewall, virus detection,
and encryption where
appropriate)? Am I
maintaining that
environment to stay up to
date with the latest
computer security
updates?
Are there other types of
software on my EHI
computing equipment that
are not needed to sustain
my health IT environment
(e.g. a music file sharing
program), which could put
my health IT environment
at risk?
Is my EHR certified to
address industry
recognized/best-practice
security requirements?
Are my health IT
applications installed
properly, and are the
vendor recommended
security controls enabled
(e.g. computer inactivity
timeouts)?
Is my health IT computing
environment up to date
with the most recent
security updates and
Since drchrono is webbased, no patient
health information
should be stored
locally, and security is
maintained on the
server.
The PHI will all reside
on the server, so other
applications should not
be a threat to your
secure online drchrono
connection.
drchrono is ONC-ACTB
Certified as a complete
EHR product!
Ensure your logout
settings are configured
for your iPad.
You should always
update your equipment
with up to date security
patches, but all PHI is
Comments
Initials
drcrhono’s Privacy and Security Guide 1
3
patches?
Have I configured my EHR
application to require my
employees to be
authenticated (e.g.
username/password)
before gaining access to
EHR? And have I set their
access privileges to
electronic health
information correctly?
If I have or plan to
establish a patient portal,
do I have the proper
security controls in place
to authenticate the patient
(e.g. username/password)
before gaining access to
the portal and the patient’s
EHI? Does the portal’s
security reflect industry
best-practices?
If I have or plan to set up a
wireless network, do I have
the proper security
controls defined and
enabled (e.g. known access
points, data encryption)?
Have I enabled the
appropriate audit controls
within my health IT
environment to be alerted
of a potential security
incident, or to examine
security incidents that
have occurred?
protected online.
Using drchrono’s
authorization and
permission features,
you can ensure that all
privileges to PHI are
controlled
appropriately.
Patients must present a
unique identifier
captured in drchrono
and go through a twostep authorization
process including
patient and provider to
enable access to
OnPatient.
Since you can access
drchrono’s secure
website through any
wireless network, no
special security
controls need to be
accounted for.
Using the Audit Log
within drchrono and
the Audit Log Review
Form below should
suffice.
drcrhono’s Privacy and Security Guide 1
4
Sanction Policy
You are required to implement and enforce a policy to apply sanctions
against members of the workforce who violate the respective
regulations.
We suggest you use the sample sanction policy content below as a
reference to create your policy and ensure that all employees are
knowledgeable of the policy.
Privacy Final Rule Requirement
1. Sanctions. A covered entity must have and apply appropriate sanctions
against members of its workforce who fail to comply with the privacy
policies and procedures of the covered entity…
2. Implementation Specification. A covered entity must document the
sanctions that are applied, if any
Security Final Rule Requirement
1. Security management process. Implement policies and procedures to
prevent, detect, contain, and correct security violations.
2. Sanction Policy. Apply appropriate sanctions against workforce members
who fail to comply with the security policies and procedures of the covered
entity.
drcrhono’s Privacy and Security Guide 1
5
Sample Sanction Policy*
DEFINITION OF OFFENSE:
Class I offenses:
(1) Accessing information that you do not need to know to do your job;
(2) Sharing your computer access codes (user name & password);
(3) Leaving your computer unattended while you are logged into a PHI program;
(4) Sharing PHI with another employee without authorization;
(5) Copying PHI without authorization;
(6) Changing PHI without authorization;
(7) Discussing confidential information in a public area or in an area where the public could overhear
the conversation;
(8) Discussing confidential information with an unauthorized person; or
(9) Failure to cooperate with privacy officer.
Class II offenses:
(1) Second offense of any class I offense (does not have to be the same offense);
(2) Unauthorized use or disclosure of PHI;
(3) Using another person’s computer access codes (user name & password); or
(4) Failure to comply with a resolution team resolution or recommendation.
Class III offenses:
(1) Third offense of any class I offense (does not have to be the same offense);
(2) Second offense of any class II offense (does not have to be the same offense);
(3) Obtaining PHI under false pretenses; or
(4) Using and/or disclosing PHI for commercial advantage, personal gain or malicious harm.
SANCTIONS:
Class I offenses shall include, but are not limited to:
(a) Verbal reprimand;
(b) Written reprimand in employee’s personnel file;
(c) Retraining on HIPAA Awareness;
(d) Retraining on Company's Privacy and Security Policy and how it impacts the said employee and
said employee’s department; or
(e) Retraining on the proper use of internal forms and HIPAA required forms.
Class II offenses shall include, but are not limited to:
(a) Written reprimand in employee’s personnel file;
(b) Retraining on HIPAA Awareness;
(c) Retraining on County’s Privacy Policy and how it impacts the said employee and said employee’s
department;
(d) Retraining on the proper use of internal forms and HIPAA required forms; or
(e) Suspension of employee (In reference to suspension period: minimum of one (1) day/ maximum of
three (3) days).
Class III offenses shall include, but are not limited to:
(a) Termination of employment;
drcrhono’s Privacy and Security Guide 1
6
(b) Civil penalties as provided under HIPAA or other applicable Federal/State/Local law; or
(c) Criminal penalties as provided under HIPAA or other applicable Federal/State/Local law.
Audit Log Review
Reviewer
Findings
Escalation?
Date
drcrhono’s Privacy and Security Guide 1
7
Related documents
G2Endo Endocrinology & Metabolism
G2Endo Endocrinology & Metabolism
Application Form - European Hydration Institute European Hydration
Application Form - European Hydration Institute European Hydration
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
Acknowledgement of Privacy Practices
Acknowledgement of Privacy Practices
Lecture for Chapter 2.3 (Fall 09)
Lecture for Chapter 2.3 (Fall 09)
Patient Admittance Form - Birdsall Chiropractic Hand & Foot Clinic
Patient Admittance Form - Birdsall Chiropractic Hand & Foot Clinic
Download
advertisement