With more hospitals and clinics starting to explore EHR, the issue of security is one of the most pressing that they’ll have to face (aside from cost). And thanks to the passage of the HITECH Act, as well as requirements set forth through HIPAA, Congress has made sure that IT security is getting the attention it deserves.
Violating HIPAA and HITECH is a very serious offense, with hefty fines and even imprisonment on the line if you or your clinic doesn’t follow the strict regulations. So it’s vital you gain an in-depth understanding of EHR security before you make a final decision on your system.
But what does this mean for your clinic? What do you need to consider, security wise, when you’re looking at different EHR systems and vendors? How do you know who’s allowed to view what on your EHR system? What do you need to look for?
Let’s take a look at some of these common issues.
First, your EHR system should have the following capabilities:
- Access Control– Every one of your staff should have a unique login name or number, which will allow the system to track everyone who uses the system. This will also permit only authorized users from accessing different levels of data.
- Automatic Log Off– If one of your staff members forgets to log off, the system should boot them off automatically after a set amount of time.
- Audit Log-A good EHR system will track every action that takes place within the system. You should have a system that will generate a report that will allow you to look at all actions within a set time period.
- Encryption-Your system should encrypt and decrypt information according to industry standards.
These are just the very basics a good EHR system should have. But when you start looking at different systems, the amount of information you need to know, especially about security issues, can be overwhelming. What should you even look at?
EHR Security Considerations
1. Role Based Access- Ideally your system will limit information to the role the staff member has in your clinic. Limiting user access is a great way to help keep patient information secure. Some systems will even allow you to limit access by patient type; that is, certain staff members can only access information for certain patients.
You should ask about the information displayed; for instance, if you work in a psychiatric clinic, will the physician notes be displayed to administrative staff when they log in?
2. System Passwords- How often can staff members change their passwords? Will the system require IT staff to change their password at regular intervals? Are the password requirements strong (that is, passwords must have a combination of letters, numbers and special characters)?
3. System Functionality- If you’re part of a larger clinic, then EHR system needs to be able to handle multiple users on a common workstation.
4. Network security– Will the system have adequate virus protection software installed and ready to go? Does the vendor set up and monitor emergency backup systems? Are firewalls or virtual private networks needed for the system?
5. System Login- How secure is the system log in? Will staff need a Smartcard, or keycard, to log in? What about biometric options such as fingerprint scans or retinal scans? What about remote access logins-how will those be kept secure?
As you can see, there is a lot to consider when you’re looking at security requirements and options for your EHR system, and these considerations and questions I’ve listed only really scratch the surface!
Just make sure you devote plenty of time to understanding the requirements set forth by HITECH and HIPAA. This will enable you to ask the right questions to your EHR vendor, and help ensure you end up choosing the right system.