Home Forums Discussions Meaningful Use Lawyers, Guns and Money.....and Security

I found this in an attempt to find the exact security measures needed. Does AC meet all these capabilities? As far as encryption, is that just for transfer of electronic records or to encrypt the .enc backup file or what? I just talked to our Regional center and they charge about $450 dollars to perform a Security Risk Assessment.

1 ?172.302(o) Access control. Assign a unique name and/or number for
identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information.
2 ?172.302(p) Emergency access. Permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency.
3 ?172.302(q) Automatic log-off. Terminate an electronic session after a predetermined time of inactivity.
4 ?172.302(r) Audit Log.
(1) Record actions. Record actions related to electronic health information in accordance with the standard specified in ? 170.210(b).
(2) Generate audit log. Enable a user to generate an audit log for a specific time period and to sort entries in the audit log according to any of the elements specified in the standard at 170.210(b).
5 ?172.302(s) Integrity.
(1) Create a message digest in accordance with the standard specified in 170.210(c).
(2) Verify in accordance with the standard specified in 170.210(c) upon receipt of electronically exchanged health information that such information has not been altered.
(3) Detection. Detect the alteration of audit logs.
6 ?172.302(t) Authentication. Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information.
7 ?172.302(u) General encryption. Encrypt and decrypt electronic health information in accordance with the standard specified in ? 170.210(a)(1), unless the Secretary determines that the use of such algorithm would pose a significant security risk for Certified EHR Technology.
8 ?172.302(v) Encryption when exchanging electronic health information. Encrypt and decrypt electronic health information when exchanged in accordance with the standard specified in ? 170.210(a)(2).
9 ?172.302(w) Disclosures. Certification criterion made optional.
Record disclosures made for treatment, payment, and health care operations in accordance with the standard specified in ? 170.210(e).

You can do this yourself. I suggest reviewing the criteria in each of the 3 sections on the Health IT.gov website. The website comprises an expanded but simpler version of your list above. Write up a report covering how your practice is meeting each requirement. If you aren't, include a plan of correction. Keep it handy, and revisit your report in a few months, add a brief Addendum about how your corrective actions succeeded, or revise your plan. Keep this on file in case you are audited.

We have been doing this for years in our practice corporate meeting minutes.

I know this sounds callous, and probably I am turning a blind eye to something I shouldn't, but I don't care to do any of those. I just want to see a kid with otitis media and treat him amoxicillin and lock the screen when I leave the room.

But, I will designate an AU to be able to access health care information in the case of an emergency. But, since you only need one, I suppose I will be sufficient.

DISCLAIMER: I respect both Boondoc and John for their efforts on this. I am just so tired of the government interventions.

I hear you Bert: I was arguing against this vigorously just a short time ago. But, as others have said, it's a business decision right now to play with them. I'm close to taking my ball and going home though!

Even if you don't intend to do MU, you are still required to have a written data security plan and document reviewing it periodically, in case you are audited.

I have to admit I am torn on this subject.

On one hand, in the enterprise space security program & plans are a whole line of business with outfits that write them, review them, audit them, penetration test, etc.

So generating an AC-specific security plan, along with an accompanying punch list for each practice would be a straightforward task for us as a commercial effort.

Regardless of how it gets done, I would recommend that every Doc that has their own business give this thought [security] for their own peace of mind [and CYA].

That said, I have to wonder if each practice wouldn't be better off if we helped them run through the business model of exiting government payer plans, and what that would mean to them as a practice and the freedom it would bring to how they practice medicine.

Call me cynical, but I learned long ago how little the government does well, let alone competently.

I went to John's link and found pages upon pages of information to read on corporate security. This was not an easy check list I was hoping for. I am trying to simplify this enough to be usable.

I agree with you totally, being free of government nitpicking would be marvelous. However, everyone should be aware that data security, including have a practice security plan, isn't optional whether you participate in Medicare/aid or not, meaningful use or not, or even whether you use an EMR. The Office for Civil Rights states the provisions of the HIPAA Security Rule apply to any person or organization that has access to patient data.

The Security Management Process standard in the HIPAA Security Rule requires organizations to ?implement policies and procedures to prevent, detect, contain, and correct security violations.? Here is the way we set up our plan, as simple as we could make it:

Protected Health Information (PHI) within our practice:
-- Designate where PHI is maintained within your organization. How is it secured? Simply state: password protection for sign-in, locked cabinets, door and key security, personnel screening etc.
-- Comment on safe transmission or reception of PHI. IE: practice has fax with staff access only, patient portal, no e-mails of patient data, shredder for disposal, signed releases of information needed, etc.
-- Identify threats to PHI: How do we protect access by cleaners, repairman, deliverymen (most commonly either escorting them if they work in PHI areas, or vet their companies). How do we secure our network (router with password, WPA2, etc). How do we protect from fires, storms (Doesn't need to be ironclad, reasonable measures such as alarms, sprinklers, backup copies in outside locations, etc).
-- Data authentication: How do we check that we are creating or filing information on the correct patient. We require patients to give photo ID upon check in -- AC helps here; if the front desk IDs the patient on check-in, brings up the right chart and forwards it to the clinical staff, you can't input to the wrong patient. When filing info into AC, Updox helps us, since it displays both the patient name & DOB when choosing what chart to import into. Does the staff check the patient info release before talking to a third party?
-- Security audits; Our office manager does a brief audit of several of the policies above once a month, and writes a brief report on her findings before our quarterly practice corporate meeting. It goes in our minutes, along with any corrective action needed.

That's what we do. I don't know whether its too much or too little, but its our plan, and we're sticking with it.

I may not have been clear; I am not dismissing the need for a security plan, rather what is driving the plan generation. Most enterprises that I have worked with had more stringent requirements than the relevant governmental regs, but the plan were crafted based on the use cases of the organization.

Having dealt with special weapons security, I have actually seen more stringent controls at a certain F500 data center.

Boondoc, I did the security risk analysis myself using tools my REC gave me.
Ours in Maine will not do the risk analysis for us, but they pointed us to a company who will do it for a cost of about $1,200. That price they quoted you is a bargain. And as you discovered, it's very difficult to actually comply with the security measures because they are numerous and somewhat complicated. It's much more difficult than simply having passwords on the computers and a firewall router.

It should not dissuade you from going for it however. I did the security assessment in about 6 hours of my personal time, spread out over several days to make it manageable. Good luck in your attestation attempt!

If you would like the toolkits, I'm willing to send to you. It's larger than one email can handle (>10MB) but I can split it up. Just PM or email me if you want to do this yourself.

Unfortunately once again, concerning security - I was wondering if any of you have or feel that it is required to have written contacts with AC and with the labs you are using - as "business partners". I am having one with my billing company for sure but I wasn't sure about the labs. They do have some access to partial information and AC does as well if you are using their back up. Maybe AC's statement regarding the encryption of the back up data is enough? Thanks

Donald Phillips MD Cedar Hill, Texas

Here is a link to a security questionnaire that I used:

http://www.himss.org/content/files/applicationsecurityv2.3.pdf

It is for an application (in this case, AC), but not the overall system.

Donna, Adam et all:

As we are in the intial stages of our project my PAD has pointed out it is a good time to address security requirments. (At present I am having a local IT group pull together a quote for P2P hosting, stand-alone serve-like machine w/ thin client and remote access via laptop) anyway.........this quote I am going to weigh against having our PM & AC hosted in the cloud.

Regaless of the route we take, can anyone point me in the direction of a simple but straight forward security demands the program places on us in order to properly attest?

My REC is of no help as specialists vs PCP's right now are not priority. I am hopeing to locate a security requirments doc I can furnish as we build/select and decide.

B/R

Roxanne

Roxanne, the Maine REC has given us an electronic documents "tool kit" to meet the security standard. To meet the requirements is quite lengthy and not at all straightforward, however the toolkit was built with the requirements in mind. This process very effectively helps meet the security requirements.

I am HAPPY to email to you.
It's about 13MB in size, so I would send it in two zipped emails with directions on how to put it back together. I've sent this to Steven and Boondoc. Let me know if you want it, please PM me or email me (see my profile for address) if you want to look at the toolkit.

IMHOpinion there is only one way to stop the regulation steamroller that is just starting to move down the tracks.

Lawyers should be forced to have the same regulations as physicians. Justice is a "right" just as much as "healthcare".

We have a Board, they have a Bar. We are increasingly being governed. They produce the government.

If a lawyer's practice was regulated to a tenth of ours, this might just change.

Rant helped some, I think

Au contraire,my friend. Nowhere in the constitution are we guaranteed the right of health but we are guaranteed the right of "equal protection of the laws" (fourteenth amendment). I've always contended that "socialized law" should be established way before any thought of socialized medicine. If you're one of the well-heeled swells and you do in your ex-wife and a waiter innocently escorting her home you get off scott free. If you're broke you'll get incarcerated for stealing a case of beer. Equality, eh?

Sorry for hijacking the thread...

I agree.

Everyone should have legal insurance and a primary lawyer who has malpractice insurance, twice as much staff to collect 80% from insurers, doesn't get paid for anything unless the client is present, doesn't get paid much to think, gets a fraction of their charges, can't charge 2 clients for the same minute, can't collude to set fees, etc.

Done

I just got a bill from my lawyer for $40 because he read a two-lined email from me.

I never have met a lawyer yet that i like or respect. Even my own lawyers that I've needed over the years....no respect. slimy, immoral, disgusting people. If any lawyers are reading this and take offense....I am not sorry. It's a stereotype that frankly is based more in truth than any other stereotype known to human-kind.

$40 to read two-lines of email. They prob billed you 0.1 hr. Whether it takes 10 seconds, or 5 min and 59 seconds....they bill you for 0.1hr. God forbid it costs 6 min and 27 seconds, you get dinged for a 0.2hour.

Is your lawyer charging $400/hour? Or WAY over billing for time spent, was that a 0.2 hour and you are getting nailed for $200/hour. Either way it's bullsh*t. sorry girl, I feel your pain.

three times I went to court by ex-wife, and three times I had to pay her lawyer bills and my own! In divorce matters alone, I have spent over $100,000 in the past 12 years.

sorry, thread is totally hijacked.....

My attorney bills at $600 per hour, at least I think he does, I never contact him because I can't afford it!

I will hijack it even more....had a plumber come out and give me an estimate on fixing two sinks in my office that were leaking. After spending five minutes analyzing the problem, he wanted $250 plus parts and travel to replace 2 strainers. Needless to say, I bought 2 strainers, dusted off my pipe wrench and got down on my fat a@# and fixed it myself.

And in the "it's not all overpriced" category: right now, as I write, my son is putting down flooring in the upstairs hallway. He is doing it for free. I think.

And Leslie, it's not fat. IMHO.

My children are still 11 and 14 and I learned long ago that nothing is really free.....

A few comments, if I may.

1. I refuse to believe Leslie has a fat a$$.

2. Do not take the security thing to far. It is important, but don't get carrried away. Follow the 10 Immutable rules of security, make sure you have it all documented, and in my professional opinion, you are all set.

3. I am quickly coming to the conclusion that I have utterly and horrifically underestimated Indy - again.

4. Do be careful how much we bash lawyers and others over how much they charge. A lot of people feel the same way about doctors. Opinion is determined by cost.

5. Everyone should buy an Xbox so we can play Modern Warfare 3: Call of Duty.

JamesNT

1 ?172.302(o) Access control. Assign a unique name and/or number for
identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information.

Each user should have their own Windows account and their own account into whatever software that requires each user to have their own user account outisde of Windows. Users should not share accounts.

2 ?172.302(p) Emergency access. Permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency.

Subjective. For most of you, the built in Administrator account in Windows will suffice.

3 ?172.302(q) Automatic log-off. Terminate an electronic session after a predetermined time of inactivity.

Set a screen saver in Windows to lock the machine after so much time of inactivity. Set Terminal Servers to disconnect users after so much time of inactivity.

4 ?172.302(r) Audit Log.
(1) Record actions. Record actions related to electronic health information in accordance with the standard specified in ? 170.210(b).

Set the Windows Security Event Log to track log on and log off and access to certain files and file shares. EMR's should have their own facilities for this.

(2) Generate audit log. Enable a user to generate an audit log for a specific time period and to sort entries in the audit log according to any of the elements specified in the standard at 170.210(b).

This is what the Administrator account in Windows and Amazing Charts is for.

5 ?172.302(s) Integrity.
(1) Create a message digest in accordance with the standard specified in 170.210(c).
(2) Verify in accordance with the standard specified in 170.210(c) upon receipt of electronically exchanged health information that such information has not been altered.

If you have an HL7 or other interface, ensure you encrypt the data while en route to it's destination via VPN or other method. Have the necessary business associates agreement in with those you are sending to/receiving from.

(3) Detection. Detect the alteration of audit logs.

If you ever see an event in Windows that says the "Security Event Log has been cleared" then you know the deal.

6 ?172.302(t) Authentication. Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information.

Again, make sure users are not sharing accounts.

7 ?172.302(u) General encryption. Encrypt and decrypt electronic health information in accordance with the standard specified in ? 170.210(a)(1), unless the Secretary determines that the use of such algorithm would pose a significant security risk for Certified EHR Technology.

Utilize the built-in encryption in Windows to encrypt information from workstation to server (domain based networks only).

8 ?172.302(v) Encryption when exchanging electronic health information. Encrypt and decrypt electronic health information when exchanged in accordance with the standard specified in ? 170.210(a)(2).

Utilize the built-in encryption in Windows to encrypt information from workstation to server (domain based networks only).

How do I accomplish all of this??

A SBS 2011 network with all Windows 7 workstations will handle the majority of this for you with no work on your part save setting up user accounts. A Juniper SRX100 security gateway will handle setting up VPN's with outside entities and security publishing services to the Internet (e.g. Exchange, Terminal Server). Such a network with 5 workstations should cost you less than $10,000 to purchase AND SET UP.

JamesNT

This is my approach:

Use reasonable security measures while at work. Lock the office doors at night. Don't take data home or on a laptop.

Stay off the radar. Stay away from government money. Don't be a member of a large group creating big charges. Don't try to be the top biller in your area or specialty. Practice cost effective medicine. Follow guidelines.

It's just like any other form of combat: don't bunch up so a single shell will take out a bunch of you, and keep your head down. It is not worth the effort of the thought police to go after a mouse when there is a much bigger target next door.

David,

Cool post. What do you mean by stay away from government money?

Personally, I don't care about any of this.

We opted out of Medicare/Caid, don't do VA or Tricare. If I get a care/caid consult, I don't charge. I just don't take government money.

And MU?

LOL! That's a good one

And as the music swells...("North, to Alaska, They're Goin' North...")....the montage begins. There's Leslie, hitching up a team and waving goodbye to the homestead; there's Bert, hopping on the back of a moose, the moose pulling a skiff loaded high with dozens of boxes labelled "Dell". Cut to Indy, shaking hands with John at Cape Canaveral, as Indy climbs into a space shuttle pointed northward, and John loads his alligators into the cargo bay. And is the scene fades, James starts to de-materialize, as you hear him say "Alaska! Beam me up, Scotty!"
David...you said the magic words.

In all honestly I don't blame the man. Many of our clients would drop Medicare/caid now if they could afford to.

JamesNT

I wish I could watch the shuttle take off from my back yard again. I'll have to wave to Indy as he boards the plane to Kazakstan. Unfortunately, Obama killed the shuttle and the Constellation program, and our aerospace engineers are on food stamps. He said he needed the money for the HITECH program. So when you check off those MU boxes in AC, just think - US technology for the 21st Century!

You know, I happen to be re-reading "The Grapes of Wrath" again just now; the part where the Joads start picking for 5 cents a box, but as soon as the protesters are beaten away, and branded as "reds" the price drops to 2 1/2 cents a box, and the kids starve. The only alternative I see is to not give anyone the power to dictate what you are worth. If you charge more than someone is willing to pay, then fine. You don't have to live in Alaska to refuse to give up power.

Fairbanks wouldn't be there if it weren't for "government money."
I suppose that some "private contractors" can afford to pay doctors who won't take medicare/medicaid/Tricare, etc. -- but odds are good they work for the government: the military, the university, the state, the county, the city -- or someone who does.
All money is dirty

Tom, that's not the issue. Payment from the federal government is not intrinsically dirty or evil. The issue of this thread is that of simple threat management; protecting ourselves from fines from security audits, charges of fraud for simple coding errors, and other very direct threats. If your assessment is that it is in you best interest to accept reimbursement from certain sources, and in return accept that you will need to implement programs such as JamesNT has outlined to mitigate the associated risks, then well and good. Our decision is that it is not worth it for us, and going down that path will only get worse and worse, like picking peaches for 2 1/2 cents a box. And my post is meant to remind folks that doing so is a choice. If you make it, you deserve that it should be a conscious and informed decision, rather like deciding whether to have a prostatectomy for early prostate cancer.

First, it is Lenovos, not Dells.

Second, Jon's humor is so far over my head, I need a cheat sheet. If this has something to do with the Wizard of Oz, I am close.

Third, I will go with any man who can read The Grapes of Wrath twice, lol.

Fourth, David, I wish I could go without Medicaid. Heaven knows it is horrible. However, I couldn't make it without them. I have the highest percentage in the state. One issue is that we have likely the best doctors in the world in Boston, and we have to sell our soles to get a patient down there. Medicaid shold be Medicaid, and the money should all go the same place.

Fifth, I guess without Medicaid or Medicare you aren't elible for MU. I am, and I will be damned if I will check off boxes for any amount of money. Nothing against those who do.