The voice for the medical software reseller community.

EMR and HIPAA

Part 3 – HIPAA Security Administrative Safeguards

Eliminating the paper chart and relying on a paperless Electronic Medical Records (EMR) system is a serious proposition for a medical practice.  In recent articles we have explored HIPAA Privacy and HIPAA Security Technical safeguards with EMR.  We now turn our attention to HIPAA Security’s Administrative Safeguards.  Resellers should recognize these issues and include appropriate solutions in their service offering.

The Administrative Safeguards specified in the HIPAA Security rule include twenty-three separate implementation specifications.  Many of these are general in nature (e.g. having a risk management process to safeguard computer assets) and do not relate specifically to Electronic Medical Records.  Some however, will call for new compliance activities when EMR is added to the practice’s network:

A)    Information System Activity Review.  EMR software, as discussed last month, must include audit trail capabilities.  This requirement mandates that the practice systematically use those audit trails.  The specific strategy will vary by practice size, type of practice (e.g. psychiatry vs. family practice), and other factors (e.g. whether the practice treats celebrities).    An appropriate audit strategy should be devised.  For example:

1)      A large group practice might want to identify which users, other than the assigned clinician, accessed the chart.  If patterns are observed which suggest inappropriate access, action can be taken.

2)      Practices who treat celebrities or practice employees as patients might want a report each quarter which shows all accesses to each of these patients, because experience has shown that because of human curiosity, both categories of patients are subject to privacy violations.

3)      Practices with highly sensitive data (e.g. psychiatry, plastic surgery) might want a more intensive audit strategy than practices with less sensitive information, e.g. family practice.

Resellers may have a service opportunity to assist their clients develop the reporting necessary to query the audit trail database.

B)     Password Management.  HIPAA requires a strategy to manage passwords.  The EMR system typically represents but one of several passwords each employee might need to keep track of – one at the network level, one for the practice management software, and one for the EMR.  To the extent that the EMR system has password management features (e.g. automatic password changes at a user-defined interval) some of the administrative burden for this process might be reduced.  This is a training opportunity for resellers.  Also, for resellers who integrate software from multiple vendors, a Single Sign-on (SSO) solution can ease the burden on practice staff who otherwise would need to remember many constantly changing and complex passwords.

C)    Data Backup and Disaster Recovery Plan.  While these matters are always serious business, these two are even more critical when EMR is involved.   With a paperless system, a catastrophic data loss could mean the difference between life and death of a patient.  Resellers should be aware that some EMR vendors have stepped up to the plate and offered very robust data backup plans.  For example, one leading EMR vendor (who does not use resellers) offers real-time internet backup to a secure data center which is mirrored at a geographically separate data center on the other side of the continent.  In order to compete, resellers may need something even more robust and failsafe than a RAID system plus once a day backup to tape, which previously was a very nice solution.

D)    Emergency Mode Operation Plan.  Practices need to have a plan dealing with how they will see patients if their system goes down.  An Ohio EMR reseller is currently offering their customers a real-time internet backup, combined with an ASP backup system which can be activated within 30 minutes of client on-site system failure.  On the flip side, a vendor offering EMR on an ASP basis has offers their customers multiple options for emergency-mode operation:

1)      On a daily basis, a PDF file can be created with the entire medical record of all patients scheduled for the next day, which is downloaded to a local computer.  If the communications link goes down (the most common type of failure with ASP offerings), records for all patients the next day will be available locally.

2)      This particular vendor generally uses a VPN over a DSL connection to provide connectivity, but configures one to two dial-up lines which can establish connection in the event the DSL line goes down.  Bandwith on these dial-up lines is limited, but essential information can be accessed.

3)      Finally, the vendor offers a periodic set of DVD backups of the entire system (database engine and all) which allow the practice to access the EMR system in the event that the main communication line goes down.

The point here is that more attention needs to be given this situation than when practice management is the only computer application.

E)     Business Associate Agreement.  In general, resellers meet the test of Business Associate, and would be advised to offer their clients a standard business associate agreement.  See the November, 2004 iMed eNewsletter for more details.

Next month, we’ll turn our attention to physical security with EMR systems.

Gary Pritts is not affiliated with InvestMed; he is a healthcare, business and information systems consultant with 25 years of experience.  To contact Gary with questions about this article or HIPAA in general, visit his website at:  www.eagleconsultingpartners.com