If your EHR, practice management software, and cloud vendors aren’t vigilant about data security, you could find yourself drowning in a sea of HIPAA security woes.
Protect yourself. Ask your vendors the following questions, adapted from the National Cybersecurity Center of Excellence.
- Are you willing to sign a comprehensive business service agreement?
- Are you willing to confirm compliance with HIPAA Privacy and Security Rules, and willing to be audited, if requested?
Third-party Application Integration
- Does my practice need to integrate the cloud-based EHR system with other in-house products, such as practice management software, billing systems, and email systems? If so, what are the implementation procedures and techniques used?
- What security features protect the data communicated among different systems?
Personal or Device Authentication and Authorization
- What are the security compliance policies for using my own device to access the cloud-based EHR system?
- Does the cloud-based EHR system require a user to be authenticated prior to obtaining access to PHI?
- What are the authentication mechanisms used for accessing the system?
- Is multifactor authentication used? Which factors?
- Does the system offer role-based access control to restrict system access to authorized users to different data sources?
- What kinds of certifications do you have? Health Information TRUST alliance (HITRUST) and Statement on Standards for Attestation Engagements (SSAE 16) are standards that any hosting company needs to follow.
- What measures protect the data from loss, theft, and hacking?
- Does the system back up an exact copy of protected data?
- Are these backup files kept in a different location, well protected, and easily restored?
- Does the system encrypt the protected data while at rest?
- Do you have security procedures and policies for decommissioning used IT equipment and storage devices which contained or processed sensitive information?
Security of Data in Transmission
- What capabilities are available for encrypting health information as it is transmitted from one point to another?
- What reasonable and appropriate steps are taken to reduce the risk that PHI can be intercepted or modified when it is being sent electronically?
Monitoring and Auditing
- Are systems and networks monitored continuously by a 3rd party for security events?
- Do you provide documentation of proof that you conduct regular 3rd party audits?
- Do you log all the authorized and unauthorized access sessions and offer auditing?
- Does the system have audit control mechanisms that can monitor, record, and/or examine information system activities that create, store, modify, and transmit PHI?
- Do you offer the ability to activate emergency access to its information system in the event of a disaster?
- Do you provide recovery from an emergency and resume normal operations and access to patient health information during a disaster?
Customer and Technical Support
- What is included in the customer support / IT support contract and relevant service level agreements?
- Can you provide a written copy of your security and privacy policies and procedures (including disaster recovery)?
Part of doing your due diligence with a vendor means making sure that they know what a business associate agreement is and agree to sign one with you. The HIPAA Security rule requires a written business associate contract or other arrangement with the business associate (vendor) that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rule’s requirements to protect the privacy and security of patients’ PHI.
For more on A contractual obligations—and to learn how to leverage your data for financial growth—pick up a copy of Unleash Your EHR’s Superpowers.