Physician Office Name Ambulatory EHR Security Risk Analysis

Transcription

1 Process is in place to verify access granted is appropriate (ie: Role Based access indicates that the biller has access to billing screens and the nurse has access to the patient medical information). Audits are conducted at least every 6 months. Minimal necessary need to know philosophy Process is in place to verify all employees that have left employment have their credentials removed immediately. Audits are conducted on a regular basis (recommended monthly) Policy regarding password strength, number of times before re-use, number of days before password expires, etc. Verify the policy is being enforced.

2 Computers and Screens: Verify that screens are not viewable by the public (in order to project PHI Verify that you have a screen saver in place (justify the amount of time that is activates, recommend 3-5 minutes) Verify that your employees lock the PC s when leaving the computer Fax machines Verify that your practice utilizes appropriate cover sheets for patient communications. Verify numbers programmed into the fax are appropriate. Concurrent sessions in EHR limited to 1 or justify the need for more and set a policy Network Operating Systems have the most recent security patch. Virus Protection up to date Policy on PHI release and verify that policy is being followed and

3 audited periodically Shredders are used for all paper documents of a confidential nature or contain PHI Appropriate disposal of equipment media utilized for E.H.R All staff have received initial HIPPA training (audits conducted yearly) All staff have received an annual update of HIPPA training (audits conducted yearly) Signed confidentiality/system usage agreements are in place for all employees (audits conducted yearly) Employees are aware of procedures to report a confidentiality/security breach (spot checks are conducted periodically)

4 Up to date records of confidentiality/security breach is maintained. BAA (Business Associate Agreements) are in place for all Business Partners. Audits are conducted yearly. This should include any personnel having access to your building (maintenance, cleaning, etc.) Vendors are properly identified ID s are worn at all times identifying staff to patients. Backup of computers having PHI are completed on a regular basis. Backups are stored off site. Backups are checked for readability. Access to the backup copies is controlled and limited. Downtime procedure is in place and staff are aware of what needs to happen during computer downtime Downtime restores are run at regular intervals (annually). Records kept on the restores. Network Security analyzed by outside entity

5 Wireless Network (if applicable) is evaluated for security Firewall enabled and checked periodically Encryption enabled on all data transport (thumb drives, CD s, etc. s sent with PHI are secure and encrypted. Paper records are secure Appropriate procedures are in place for subpoenas, court orders, law enforcement, etc. for release of information. Period audits are conducted. Policies are in place for access own records and that of minor children. Period audits are conducted of employees. Conversations regarding PHI is in private areas PDA (iphones, Blackberry s, etc) have appropriate ID s on them if confidential or PHI can be reached. Inappropriate Internet sites are not

6 being accessed (that may create viruses). Audits are conducted to safeguard the system. Key s (either electronic or physical) are tracked and verified. Locks changed when employee leaves organization. Employees know what to do if there is a security breach. Drills are conducted on a regular basis (at least semi-annually) Only authorized applications are loaded on PC s (audits are conducted to make sure only appropriate applications are loaded). All license agreements are validated yearly and audits conducted to make sure software is used within the confines of the agreements. Confidential communication (using interoffice envelopes) are clearly marked as such. Printers will be located where sensitive data cannot be accessed by inappropriate personnel. Audits/site inspection should be conducted regularly. Common electronic media (common shared folders, drives, etc) so no contain PHI or other

7 confidential data. Automatic log outs are in place for any application that has PHI or other confidential data. Period checks are in place to check this. Terms: PHI: Protected Health Information. HIPAA: Health Insurance Portability and Accountability Act BAA: Business Associate Agreement Date Security Assessment Conducted: Completed by: