Safeguarding Patient Data in EHRs

A recent blog by the HIPAA, HITECH & HIT legal blog of Fox Rothschild revealed a survey administered by the Office of Inspector General (OIG) of the U.S. Dept. of Health & Human Services (HHS). The EHR (electronic health record) technology questionnaire is part of a study on fraud and abuse safeguards in EHRs.

A recent blog by the HIPAA, HITECH & HIT legal blog of Fox Rothschild revealed a survey administered by the Office of Inspector General (OIG) of the U.S. Dept. of Health & Human Services (HHS). The EHR (electronic health record) technology questionnaire is part of a study on fraud and abuse safeguards in EHRs.

The questionnaire may serve as insight for hospitals attempting to establish safeguards with their digital systems to protect electronic protected health information (ePHI) and prevent a potential HIPAA violation. The topics include:

Basic EHR Information
This includes what type of EHR technology is used, whether a commercial vendor product, internally developed, or a hybrid solution using both vendor and internally developed products. Additionally, it includes whether or not the hospital is part of a network of hospitals that use the same EHR technology, and the length of time the hospital has been using it.

A question regarding how diagnoses and procedures are coded includes the options of manually coded by professionals, or automatic software coding. The OIG is also interested in whether or not the hospital has plans to adopt computer-assisted coding.

Access Controls
The survey asks about the following user authorization controls used to limit access to the EHR system:

• Unique user ID/Password
• Token-based (the use of an ID card, or badge)
• Biometrics (could be in the form of a fingerprint to validate identity)
• Public-key (digital certificates)

In addition, the survey asks about the following access control policies and procedures:

• Automatic user log-off/session time-out
• Minimum password configuration rules
• Regularly changing passwords
• User agreements or contracts to prevent password sharing

Tracking Outside Entities (Third-Parties)
The OIG asked questions about third-party (i.e., payers) access to EHR systems, and how they connect, whether remotely or on-site. They are also interested in tracking third-party system activity with unique user IDs, and the specific limitations hospitals put on third-party access to their systems (and, if any, types of data and types of control).

Another question brings insight into the OIG and their interest in barriers that may exist, prohibiting outside entities from accessing EHR systems. This may be an indicator that secure, streamlined information exchange is a priority, as they list a number of barriers that include EHR technology/hardware doesn’t support capability; insufficient human resources; funding restrictions/additional costs to implement; insufficient EHR training; inability to integrate with existing systems; concerns with patient privacy and more.

Audit Logs
The survey asks about an EHR system’s audit log and tracking of access and changes, and the specific events that the audit log records:

• Each entry or access into an EHR system
• Signature events (proactive or auto default completion of a patient encounter)
• Export of EHR document (printed, electronically exported, emailed)
• Amendments, corrections or modifications of data
• Import of data
• Disabling of audit log
• Release of encounter for billing
• Access by an authorized outside entity

Specific audit data that is recorded may include:

• National provider ID (NPI)
• Data/Time/User stamps
• Access type
• Internet Protocol (IP)/Media Access Control (MAC) address
• Network Time Protocol (NTP)/Simple Network Time Protocol (SNTP) synchronized time
• Method of data entry
• Data/Time/User stamp of author

Questions include who can delete, disable or edit the audit log, as well as who specifically analyzes log data, and how often. Daily log review is required to meet PCI DSS compliance, and it is highly recommended to meet HIPAA compliance. HIPAA requires the ability to monitor log-in attempts and reporting discrepancies (§164.308(a)(5)(ii)(C) of the HIPAA Security Standards Administrative Safeguards). As a subset of the Security Awareness and Training Standard (§164.308(a)(5)), log-in monitoring requires tracking failed log-in attempts to make workforce members aware of password management and system use.

Find out more about the technical, administrative and physical security services needed to meet HIPAA compliance, and more about HIPAA hosting requirements for vendors and covered entities by reading our HIPAA Compliant Hosting white paper.

Related Links:
The HIPAA Police Are On Their Way!

References:
OIG EHR Questionnaire Focuses on Fraud Safeguards