Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Management

Security Risk Analysis

advertisement 
Risk Analysis
Confidentiality Checklist
What new electronic health information has been introduced into my practice by using an EHR or a Practice
Management System? Where will that electronic health information reside?
RevolutionEHR practice management and electronic health record software was implemented. This is an Internethosted, Cloud-based subscription software. All data is stored on their servers.
Comments: _____________________________________________________________________
Signature: ____________________________________________________ Date: _____________
Who in my office (employees, other providers, etc.) will have access to the electronic health information?
Those designated by the business ownership as System Administrators will create access and set permissions for all
other users. Our practice implemented RevolutionEHR’s recommended login controls (username, password, time
and location access limits) per the release notes.
Comments: _____________________________________________________________________
Signature: ____________________________________________________ Date: _____________
Should all personnel with access to EHRs have the same level of access?
Each person has unique and individual permissions, as set by the System Administrator. These permissions govern
features available to the user.
Comments: _____________________________________________________________________
Signature: ____________________________________________________ Date: _____________
Will I permit my employees to have electronic health information on mobile computing/storage equipment? If so, do
they know how, and do they have the resources necessary, to keep electronic health information secure on these
devices?
Each user will have access to electronic health information on mobile equipment. RevolutionEHR does not store
information on any computing equipment.
Comments: _____________________________________________________________________
Signature: ____________________________________________________ Date: _____________
How will I know if electronic health information has been accidentally or maliciously disclosed to an unauthorized
person?
The System Administrator will review the RevolutionEHR Audit Log for the practice at least every 90 days with a
random review of patient record access to view for unauthorized access, or for a specific patient at any time of
suspected activity. RevolutionEHR has Certified emergency access capabilities, and our practice has set for a notice
to go to the System Administrator if any user accesses through this “break glass” avenue.
Comments: _____________________________________________________________________
Signature: ____________________________________________________ Date: _____________
When I upgrade my computer storage equipment (e.g., hard drives), will electronic health information be properly
erased from the old storage equipment before I dispose of it?
RevolutionEHR does not store information on any computing equipment. Files that are stored on any local computer
hard drives that was prepared for uploading (e.g. scans of insurance cards of patient intake forms) or information
that was downloaded from RevolutionEHR (e.g. record summaries) are carefully and entirely managed in compliance
with the practice’s HIPAA policy on protecting health information.
Comments: _____________________________________________________________________
Signature: ____________________________________________________ Date: _____________
Are my backup facilities secured (computers, tapes, offices, etc., used to backup EHRs and other health IT)?
RevolutionEHR is a cloud-based system and manages all backup processes. There is no local copy of information for
the practice to manage.
Comments: _____________________________________________________________________
Signature: ____________________________________________________ Date: _____________
How is RevolutionEHR updated and how will the practice know of any security updates that need to occur?
RevolutionEHR is a cloud-based system and manages all update processes. There are no local security updates that
must be undertaken by the practice. At least every 90 days, the System Administrator will review security updates as
delivered through updates and provide relevant information to all users.
Comments: _____________________________________________________________________
Signature: ____________________________________________________ Date: _____________
Will I be sharing electronic health information contained in EHRs with other health care entities? If so, what security
policies do I need to be aware of?
RevolutionEHR is 2011 Certified to create electronic health information, but currently does not share information
with other health care entities directly. The practice currently shares data only through HIPAA compliant processes
including fax and mail.
Comments: _____________________________________________________________________
Signature: ____________________________________________________ Date: _____________
If my EHR system is capable of providing my patients with a way to access their health record/information via the
Internet, will my patients’ electronic health information be protected?
RevolutionEHR provides patient access through RevolutionPHR, an online health record system. It utilizes the same
Certified security transmission standards and username/password login processes as RevolutionEHR. Only a user in
the practice can provide the patient with login credentials.
Comments: _____________________________________________________________________
Signature: ____________________________________________________ Date: _____________
Will I communicate with my patients electronically (e.g., through a portal or email)? Are those communications
secured?
Data delivered by RevolutionPHR utilizes the same Certified security transmission standards as RevolutionEHR. Any
email delivered by RevolutionEHR to patients does not contain protected health information.
Comments: _____________________________________________________________________
Signature: ____________________________________________________ Date: _____________
Integrity Checklist
Who in my office will be permitted to create or modify electronic health information contained in the EHR?
Each person has unique and individual permissions, as set by the System Administrator. These permissions govern
features available to the user. The System Administrator will review the Audit Log at least every 90 days with a
random review of user access and data input to monitor for unauthorized creation or modification of information.
Comments: _____________________________________________________________________
Signature: ____________________________________________________ Date: _____________
How will I know if electronic health information in the EHR has been viewed, altered or deleted?
All activity is recorded in an Audit Log, which is a plain-English record of access, modification and deletion of data in a
chart.
Comments: _____________________________________________________________________
Signature: ____________________________________________________ Date: _____________
Will my patients be permitted to modify any of the health information within their record?
The practice has elected to allow patients to view, and with restrictions to selected demographic data, modify health
information. The System Administrator receives a message for each patient action that modifies any demographic
information.
Comments: _____________________________________________________________________
Signature: ____________________________________________________ Date: _____________
Availability Checklist
How will I ensure that electronic health information, regardless of where it resides, is readily available to the
employees for authorized purposes, including after normal office hours?
With cloud-based software, access can be achieved from any Internet-connected computer, from any location, at any
time. The System Administrator has set location, role, and time of day restrictions for each registered user. Those
users who need emergency access have knowledge of the Emergency Access URL for RevolutionEHR.
Comments: _____________________________________________________________________
Signature: ____________________________________________________ Date: _____________
Do I have a backup strategy for my EHRs in the event of an emergency, or to ensure I have access to patient
information if the power goes out or my computer crashes?
RevolutionEHR takes data base backups automatically. These may be restored to other computers in case of
emergency. The practice has access to battery-backups for local power outages, and wireless internet access through
a cell-enabled mobile WiFi card to provide access.
Comments: _____________________________________________________________________
Signature: ____________________________________________________ Date: _____________
Related documents
Clinical Agency Specific Orientation
Clinical Agency Specific Orientation
Application for Research Funding - The University of Tennessee at
Application for Research Funding - The University of Tennessee at
Online applicants - Heart is Found Photography
Online applicants - Heart is Found Photography
Application
Application
Columbia University...Department of Biological Sciences
Columbia University...Department of Biological Sciences
The Military Order of the World Wars
The Military Order of the World Wars
evaluation form for general employment traits
evaluation form for general employment traits
Registration form - University of Johannesburg
Registration form - University of Johannesburg
Download
advertisement