Risk Analysis Confidentiality Checklist What new electronic health information has been introduced into my practice by using an EHR or a Practice Management System? Where will that electronic health information reside? RevolutionEHR practice management and electronic health record software was implemented. This is an Internethosted, Cloud-based subscription software. All data is stored on their servers. Comments: _____________________________________________________________________ Signature: ____________________________________________________ Date: _____________ Who in my office (employees, other providers, etc.) will have access to the electronic health information? Those designated by the business ownership as System Administrators will create access and set permissions for all other users. Our practice implemented RevolutionEHR’s recommended login controls (username, password, time and location access limits) per the release notes. Comments: _____________________________________________________________________ Signature: ____________________________________________________ Date: _____________ Should all personnel with access to EHRs have the same level of access? Each person has unique and individual permissions, as set by the System Administrator. These permissions govern features available to the user. Comments: _____________________________________________________________________ Signature: ____________________________________________________ Date: _____________ Will I permit my employees to have electronic health information on mobile computing/storage equipment? If so, do they know how, and do they have the resources necessary, to keep electronic health information secure on these devices? Each user will have access to electronic health information on mobile equipment. RevolutionEHR does not store information on any computing equipment. Comments: _____________________________________________________________________ Signature: ____________________________________________________ Date: _____________ How will I know if electronic health information has been accidentally or maliciously disclosed to an unauthorized person? The System Administrator will review the RevolutionEHR Audit Log for the practice at least every 90 days with a random review of patient record access to view for unauthorized access, or for a specific patient at any time of suspected activity. RevolutionEHR has Certified emergency access capabilities, and our practice has set for a notice to go to the System Administrator if any user accesses through this “break glass” avenue. Comments: _____________________________________________________________________ Signature: ____________________________________________________ Date: _____________ When I upgrade my computer storage equipment (e.g., hard drives), will electronic health information be properly erased from the old storage equipment before I dispose of it? RevolutionEHR does not store information on any computing equipment. Files that are stored on any local computer hard drives that was prepared for uploading (e.g. scans of insurance cards of patient intake forms) or information that was downloaded from RevolutionEHR (e.g. record summaries) are carefully and entirely managed in compliance with the practice’s HIPAA policy on protecting health information. Comments: _____________________________________________________________________ Signature: ____________________________________________________ Date: _____________ Are my backup facilities secured (computers, tapes, offices, etc., used to backup EHRs and other health IT)? RevolutionEHR is a cloud-based system and manages all backup processes. There is no local copy of information for the practice to manage. Comments: _____________________________________________________________________ Signature: ____________________________________________________ Date: _____________ How is RevolutionEHR updated and how will the practice know of any security updates that need to occur? RevolutionEHR is a cloud-based system and manages all update processes. There are no local security updates that must be undertaken by the practice. At least every 90 days, the System Administrator will review security updates as delivered through updates and provide relevant information to all users. Comments: _____________________________________________________________________ Signature: ____________________________________________________ Date: _____________ Will I be sharing electronic health information contained in EHRs with other health care entities? If so, what security policies do I need to be aware of? RevolutionEHR is 2011 Certified to create electronic health information, but currently does not share information with other health care entities directly. The practice currently shares data only through HIPAA compliant processes including fax and mail. Comments: _____________________________________________________________________ Signature: ____________________________________________________ Date: _____________ If my EHR system is capable of providing my patients with a way to access their health record/information via the Internet, will my patients’ electronic health information be protected? RevolutionEHR provides patient access through RevolutionPHR, an online health record system. It utilizes the same Certified security transmission standards and username/password login processes as RevolutionEHR. Only a user in the practice can provide the patient with login credentials. Comments: _____________________________________________________________________ Signature: ____________________________________________________ Date: _____________ Will I communicate with my patients electronically (e.g., through a portal or email)? Are those communications secured? Data delivered by RevolutionPHR utilizes the same Certified security transmission standards as RevolutionEHR. Any email delivered by RevolutionEHR to patients does not contain protected health information. Comments: _____________________________________________________________________ Signature: ____________________________________________________ Date: _____________ Integrity Checklist Who in my office will be permitted to create or modify electronic health information contained in the EHR? Each person has unique and individual permissions, as set by the System Administrator. These permissions govern features available to the user. The System Administrator will review the Audit Log at least every 90 days with a random review of user access and data input to monitor for unauthorized creation or modification of information. Comments: _____________________________________________________________________ Signature: ____________________________________________________ Date: _____________ How will I know if electronic health information in the EHR has been viewed, altered or deleted? All activity is recorded in an Audit Log, which is a plain-English record of access, modification and deletion of data in a chart. Comments: _____________________________________________________________________ Signature: ____________________________________________________ Date: _____________ Will my patients be permitted to modify any of the health information within their record? The practice has elected to allow patients to view, and with restrictions to selected demographic data, modify health information. The System Administrator receives a message for each patient action that modifies any demographic information. Comments: _____________________________________________________________________ Signature: ____________________________________________________ Date: _____________ Availability Checklist How will I ensure that electronic health information, regardless of where it resides, is readily available to the employees for authorized purposes, including after normal office hours? With cloud-based software, access can be achieved from any Internet-connected computer, from any location, at any time. The System Administrator has set location, role, and time of day restrictions for each registered user. Those users who need emergency access have knowledge of the Emergency Access URL for RevolutionEHR. Comments: _____________________________________________________________________ Signature: ____________________________________________________ Date: _____________ Do I have a backup strategy for my EHRs in the event of an emergency, or to ensure I have access to patient information if the power goes out or my computer crashes? RevolutionEHR takes data base backups automatically. These may be restored to other computers in case of emergency. The practice has access to battery-backups for local power outages, and wireless internet access through a cell-enabled mobile WiFi card to provide access. Comments: _____________________________________________________________________ Signature: ____________________________________________________ Date: _____________