I'm curious to know what other practices are doing to be compliant with the "Core measure 15: Protect Electronic Health Information."
The State of Maine Regional Extension Center gave all participating offices a toolkit that included numerous self-assessment checklists and flowsheets to address security and protection of protected health information.
Security and protection is looked at by these toolkits as both external security breaches and internal ones. Malicious attacks and inadvertent honest errors. It also accounts for electronic security threats as well as physical threats to on-site storage of protected health information. Backing up data and information sharing to third parties is also part of the assessments. Protection of health information extends not just to the EHR but also your billing program, credit card machine, fax machine, network, and any third parties who may access your network (such as an off-site I.T. administrator/contractor).
Do any of your states offer a similar resource?
Have any of you hired a third party to perform a security/protection assessment?
What have you done to demonstrate proof that you have the proper policies in place to attest to Core measure 15?
What format is your proof recorded so that you can sustain audit from CMS, in the event you are audited? i.e. do you have an Excel spreadsheet or Word documents showing you policies or checklists indicating you've done a self-assessment.
What have you done to address weaknesses in your office so that health information is better protected?
This is the one measure that I found the most difficult to attest to. Everything else was contained directly within A.C. and relatively easy to perform. But this one was a challenge for me.
