From OpenEMR Project Wiki
Access to Electronic Protected Health Information (EPHI) is very highly restricted. Doctors have always approached this with a "Deny by default" policy. The US government has turned this into "Deny by default" and we are going to be watching, spending billions of US dollars to watch to make sure that ytou don't slip up.
Any access to the electronic health will need to audited so that information about who accessed the information and for what purpose can be given toe the patient on request. Of course, most normal patients don't do this. There is an occasional need for this. But there will be a lot of governmental agencies who will want to spend billions of US dollars to make sure we can do this.
Controlling access begins with careful login procedures. Using two passwords for login helps this. Good password policy is important.
Do not allow employees to share passwords. The system should be able to monitor password strength
- eight character length or more
- Must contain a upper case letter, a lower case letter, a number and a special symbol.
- Passwords need to be changed on a regular basis (every 6 weeks to 3 months)
- Users should not be allowed to use the same password repeatedly
- The system should log the last three passwords and prevent reuse.
All access to privileged electronic records will need to be logged. The log should be robust enough to reveal who has accessed the information and in the case of third party access why this was necessary.
The most common form of this is electronic billing which occurs on such a huge basis that this will have to automated as part of the normal billing cycle. Tony McCormick of MI-Squared has proposed to accept this as he reworks the billing systems.
Higher levels of Access
Practitioners receive a very high level of access in the system. They are able to generate the encounters, prescribe medications, and order diagnostic studies.
The creation of encounters needs special attention. The practitioner will need to be able to edit the encounter repetedly during its creation. At a latter point when the encounter is complete he or she will need to verify that the encounter is complete and lock the encounter.
Of course, even this is not permanent. Under the US HIPAA rules the patient has the right to review their health information and correct any mistakes discovered. This will require an encounter edit function that includes the reason the record is being altered.
VISOLVE>> HIPAA discusses certain methodologies that need to be followed during the emergency access. HIPAA calls this procedure as "break glass procedure." This is a procedure so that if in the event the practitioners get locked out of the system for some unforeseen event.
a. Backup of electronic protected health information before the emergency access
b. Emergency accounts should be created in advance. The account information should be sealed and kept in a secured place. Once an emergency is declared, the emergency account can be used.
c. All the activities should be logged for later review
d. Disable or delete the emergency account(s) that were used to prevent re-use now that the password is known.
Fred Trotter: Again, what does this mean?
Sam Bowen: I think they are referring to accessing the system on a practitioners behalf when the practitioner is not available. Some documents are extremely sensitive and need to be for the individual practitioners eyes only. In the event the practitioner is killed, on vacation, or no longer allowed to access the system, someone needs to be able to access the system on their behalf. Usually this means the system administrator who is required to log the access and the reason that the access was required.
I have patients who come in with problems of a highly sensitive nature. My wife is a practitioner here with me. Sometimes these problems are so sensitive that I have to restrict access to my eyes only so that my wife cannot find or see these records even by accident. In the event of my death or disability or hopefully I'm just on vacation, my office manager knows how to access these records, in an emergency situation only. According to HIPAA this access needs to logged and the (very good) reason for the access must also be logged.
The other obvious example is if the database administrator is no longer available change of employment status, disability, death, (or hopefully just on vacation). Then some horrible thing happens with the database that requires full administrative access.