By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
SmartData CollectiveSmartData CollectiveSmartData Collective
  • Analytics
    AnalyticsShow More
    data-driven white label SEO
    Does Data Mining Really Help with White Label SEO?
    7 Min Read
    marketing analytics for hardware vendors
    IT Hardware Startups Turn to Data Analytics for Market Research
    9 Min Read
    big data and digital signage
    The Power of Big Data and Analytics in Digital Signage
    5 Min Read
    data analytics investing
    Data Analytics Boosts ROI of Investment Trusts
    9 Min Read
    football data collection and analytics
    Unleashing Victory: How Data Collection Is Revolutionizing Football Performance Analysis!
    4 Min Read
  • Big Data
  • BI
  • Exclusive
  • IT
  • Marketing
  • Software
Search
© 2008-23 SmartData Collective. All Rights Reserved.
Reading: Safeguarding Patient Data in EHRs
Share
Notification Show More
Aa
SmartData CollectiveSmartData Collective
Aa
Search
  • About
  • Help
  • Privacy
Follow US
© 2008-23 SmartData Collective. All Rights Reserved.
SmartData Collective > Big Data > Data Mining > Safeguarding Patient Data in EHRs
Data MiningData WarehousingSecurity

Safeguarding Patient Data in EHRs

onlinetech
Last updated: 2012/11/27 at 1:55 PM
onlinetech
5 Min Read
SHARE

A recent blog by the HIPAA, HITECH & HIT legal blog of Fox Rothschild revealed a survey administered by the Office of Inspector General (OIG) of the U.S. Dept. of Health & Human Services (HHS). The EHR (electronic health record) technology questionnaire is part of a study on fraud and abuse safeguards in EHRs.

A recent blog by the HIPAA, HITECH & HIT legal blog of Fox Rothschild revealed a survey administered by the Office of Inspector General (OIG) of the U.S. Dept. of Health & Human Services (HHS). The EHR (electronic health record) technology questionnaire is part of a study on fraud and abuse safeguards in EHRs.

The questionnaire may serve as insight for hospitals attempting to establish safeguards with their digital systems to protect electronic protected health information (ePHI) and prevent a potential HIPAA violation. The topics include:

Basic EHR Information
This includes what type of EHR technology is used, whether a commercial vendor product, internally developed, or a hybrid solution using both vendor and internally developed products. Additionally, it includes whether or not the hospital is part of a network of hospitals that use the same EHR technology, and the length of time the hospital has been using it.

More Read

HIPAA compliant fax

Data Security Considerations Pertaining to HIPAA Fax

Data Analytics Solutions To HIPAA Compliance During Quarantine
HIPAA Violations Cost Health Insurer $1.7 Million: Lessons Learned
HIPAA Breach Lessons Learned
HIPAA in a HITECH World: HIPAA Violations on the Rise

A question regarding how diagnoses and procedures are coded includes the options of manually coded by professionals, or automatic software coding. The OIG is also interested in whether or not the hospital has plans to adopt computer-assisted coding.

Access Controls
The survey asks about the following user authorization controls used to limit access to the EHR system:

  • Unique user ID/Password
  • Token-based (the use of an ID card, or badge)
  • Biometrics (could be in the form of a fingerprint to validate identity)
  • Public-key (digital certificates)

In addition, the survey asks about the following access control policies and procedures:

  • Automatic user log-off/session time-out
  • Minimum password configuration rules
  • Regularly changing passwords
  • User agreements or contracts to prevent password sharing

Tracking Outside Entities (Third-Parties)
The OIG asked questions about third-party (i.e., payers) access to EHR systems, and how they connect, whether remotely or on-site. They are also interested in tracking third-party system activity with unique user IDs, and the specific limitations hospitals put on third-party access to their systems (and, if any, types of data and types of control).

Another question brings insight into the OIG and their interest in barriers that may exist, prohibiting outside entities from accessing EHR systems. This may be an indicator that secure, streamlined information exchange is a priority, as they list a number of barriers that include EHR technology/hardware doesn’t support capability; insufficient human resources; funding restrictions/additional costs to implement; insufficient EHR training; inability to integrate with existing systems; concerns with patient privacy and more.

Audit Logs
The survey asks about an EHR system’s audit log and tracking of access and changes, and the specific events that the audit log records:

  • Each entry or access into an EHR system
  • Signature events (proactive or auto default completion of a patient encounter)
  • Export of EHR document (printed, electronically exported, emailed)
  • Amendments, corrections or modifications of data
  • Import of data
  • Disabling of audit log
  • Release of encounter for billing
  • Access by an authorized outside entity

Specific audit data that is recorded may include:

  • National provider ID (NPI)
  • Data/Time/User stamps
  • Access type
  • Internet Protocol (IP)/Media Access Control (MAC) address
  • Network Time Protocol (NTP)/Simple Network Time Protocol (SNTP) synchronized time
  • Method of data entry
  • Data/Time/User stamp of author

Questions include who can delete, disable or edit the audit log, as well as who specifically analyzes log data, and how often. Daily log review is required to meet PCI DSS compliance, and it is highly recommended to meet HIPAA compliance. HIPAA requires the ability to monitor log-in attempts and reporting discrepancies (§164.308(a)(5)(ii)(C) of the HIPAA Security Standards Administrative Safeguards). As a subset of the Security Awareness and Training Standard (§164.308(a)(5)), log-in monitoring requires tracking failed log-in attempts to make workforce members aware of password management and system use.

Find out more about the technical, administrative and physical security services needed to meet HIPAA compliance, and more about HIPAA hosting requirements for vendors and covered entities by reading our HIPAA Compliant Hosting white paper.

Related Links:
The HIPAA Police Are On Their Way!

References:
OIG EHR Questionnaire Focuses on Fraud Safeguards

TAGGED: EHR, hipaa
onlinetech November 27, 2012 November 27, 2012
Share This Article
Facebook Twitter Pinterest LinkedIn
Share

Follow us on Facebook

Latest News

RN coders for hosptial data
RN Coders Can Improve Hospital Data Strategies
Big Data
cloud technology in education
How Cloud Technology Can Be Integrating in Schools
IT
big data and IP laws
Big Data & AI In Collision Course With IP Laws – A Complete Guide
Big Data
ai in marketing
4 Ways AI Can Enhance Your Marketing Strategies
Marketing

Stay Connected

1.2k Followers Like
33.7k Followers Follow
222 Followers Pin

You Might also Like

HIPAA compliant fax
Big Data

Data Security Considerations Pertaining to HIPAA Fax

5 Min Read
data privacy and HIPAA
Security

Data Analytics Solutions To HIPAA Compliance During Quarantine

6 Min Read

HIPAA Violations Cost Health Insurer $1.7 Million: Lessons Learned

4 Min Read
HIPPA compliance
Best PracticesBig DataData ManagementInside CompaniesITLocationPolicy and GovernancePrivacySecurity

HIPAA Breach Lessons Learned

5 Min Read

SmartData Collective is one of the largest & trusted community covering technical content about Big Data, BI, Cloud, Analytics, Artificial Intelligence, IoT & more.

ai is improving the safety of cars
From Bolts to Bots: How AI Is Fortifying the Automotive Industry
Artificial Intelligence
data-driven web design
5 Great Tips for Using Data Analytics for Website UX
Big Data

Quick Link

  • About
  • Contact
  • Privacy
Follow US
© 2008-23 SmartData Collective. All Rights Reserved.
Go to mobile version
Welcome Back!

Sign in to your account

Lost your password?