Home Forums Discussions Meaningful Use Core Measure 15: what is your strategy for compliance

I'm curious to know what other practices are doing to be compliant with the "Core measure 15: Protect Electronic Health Information."

The State of Maine Regional Extension Center gave all participating offices a toolkit that included numerous self-assessment checklists and flowsheets to address security and protection of protected health information.

Security and protection is looked at by these toolkits as both external security breaches and internal ones. Malicious attacks and inadvertent honest errors. It also accounts for electronic security threats as well as physical threats to on-site storage of protected health information. Backing up data and information sharing to third parties is also part of the assessments. Protection of health information extends not just to the EHR but also your billing program, credit card machine, fax machine, network, and any third parties who may access your network (such as an off-site I.T. administrator/contractor).

Do any of your states offer a similar resource?
Have any of you hired a third party to perform a security/protection assessment?
What have you done to demonstrate proof that you have the proper policies in place to attest to Core measure 15?
What format is your proof recorded so that you can sustain audit from CMS, in the event you are audited? i.e. do you have an Excel spreadsheet or Word documents showing you policies or checklists indicating you've done a self-assessment.
What have you done to address weaknesses in your office so that health information is better protected?

This is the one measure that I found the most difficult to attest to. Everything else was contained directly within A.C. and relatively easy to perform. But this one was a challenge for me.

Those that attested or even those concerned with the HIPAA security issues - did you get a formal statement from AC regarding the fact that they implement necessary safeguards to protect the confidentiality and integrity of the electronic health information. (I guess to satisfy the "business associate" requirement). I assume that it would only be necessary if you are using the AC back up (since that involves the transfer of info to them).
Donald Phillips MD Cedar Hill Tx

This is pretty much all a work in progress.
I take the position that "strong" passwords and good firewalls create adequate security for a small office.

I refuse to get paranoid about this -- if I have to spend mega$$ on "security", then I'll just go back to paper. Electronic media is inherently insecure.

When we take backup data out of the office, I suppose it should be on an encrypted disk/flash drive. I haven't got there yet, but that would solve the "lost my laptop" data breach problem that even big organizations seem to have.

I like that answer at least with regards to the electronic part. I am reading too much government edicts regarding security - it gets ridiculous. Once every singly health entity is electronic - I can just imagine how many accidents will happen. Trying to put a policy together - I guess we should also put in our security plan and prevention that we actually have locks on our office doors. As for off site - I will probably just start leaving the external hard drive at work - in a fireproof lock box. However, if we use the I-phone AC app - then that has protected health info on it - maybe I'll just delete it. It is not so much doing common sense protective things - it is the specified "hoops" like a "risk analysis". Geez, I have a 1200 square foot office with my wife and one MA and 3 computers. If somebody wants in at night, they'll get in. I like some of Adam's colorful comments as well - but if I get going too far - I might get visited by a presidential death squad.
Thanks for commenting
Donald Phillips MD Cedar Hill, Texas

I'd be happy to back you up on colorful comments... but the death squads may come after me too. Imagine a bunch of right winged doctors, holed up with guns, in a fortress compound, refusing to participate in MU. Then ATF comes in with guns blazing while we chant "hell no, we won't M.U., hell no, we won't M.U." oops I hijacked my own thread...

For the government spies reading this thread...JUST JOKING!

But seriously the REC in Maine has informed us that the criteria for Core 15 is very tough to meet. they feel it's more than just having a password protected system. Have I been led astray?

It looks like no one has gotten back to us on this. I too am wondering how to use the encryption feature. Do we encrypt the backup file? Is this just for encrypting other files we export? Adam can you weight in?

I don't know if this question pertains to the above but I did have an "encryption" question as well. My AC is on my desktop running Windows 7 Pro (i.e. no server). Are the AC files encrypted already or do I need to encrypt them via the Windows program? If I start downloading the imported items to an external hard drive (have been downloading all to AC back up since I'm new and small amount) - do I at least need to encrypt that file? Thanks,
Donald Phillips MD Cedar Hill, Texas

Guys, this comes directly from the AC website under offsite backups :

"How It Works
OffSite Backup service allows you to upload your crucial Amazing Charts EHR databases each night to our secure data center for safe keeping. Your databases, patient information, templates, schedules, billing, and other information is encrypted on your own computer then uploaded and stored on our secure servers.
Security

Obviously security is of the utmost importance given that your data contains patient-identifiable health information. The first layer of security occurs on your computer, before the connection to our archiving servers occur. When you run our Amazing Charts OffSite Backup utility your databases and patient records are encrypted using a 128-bit cipher algorithm. It has been calculated that breaking this level of encryption would take a hacker over a million years!

Your encrypted patient and practice data is then uploaded in a HIPAA-compliant manner across a secured 128-bit encrypted SSL internet connection (the type of connections that banks use)."

so it looks like we do nothing to invoke the encryption?? am I reading this correctly??