Evaluate software vendors on key software capabilities
HIM Connection, March 22, 2005
Want to receive articles like this one in your inbox? Subscribe to HIM Connection!
Whether you're evaluating the security features of new software or a program your organization already uses, ask your vendors specifics about their products to determine how well they'll help you meet HIPAA security requirements.
Software can't guarantee 100% compliance, but software vendors have developed methods to help you meet many of the security rule's requirements. For example, most practice management software packages contain password protection and encryption features. And many medical software applications will keep a log of users who access or change electronic PHI (ePHI).
However, not all software programs contain the same security features. For example, one hospital's billing program logs changes to patient information but doesn't track access to that information. That could cause a problem if, for example, your lab treats a celebrity and wants to make sure the lab results aren't leaked to the press or public.
Hold vendors accountable
Your software security checklist should cover these five critical topics:
- Authentication. The HIPAA security rule's person or entity authentication standard requires you to authenticate all computer users. In other words, make sure the people using computers to access ePHI are who they claim to be.
Ask software vendors how their software accomplishes this. If they require user IDs and passwords, make sure they don't allow duplicate IDs, which is a violation of the HIPAA security rule.
Also make sure that the passwords meet your minimum length and form requirements. Confirm that your requirements won't cause the software to malfunction.
For example, the practice management software at one mid-size radiology office wouldn't allow passwords that contained characters such as !, @, and #. Because management knew this, they could advise staff to create passwords accordingly.
- Access control. Know how and to what extent your software programs restrict ePHI access. "Many programs will grant full access to all patient information upon log-on," says Holt Anderson, executive director of the NC Healthcare Information Communications Alliance in Research Triangle Park, NC. However, the HIPAA access control standard requires you to limit all users' access to the minimum necessary information for their job functions.
If you know the capabilities of your software, it can help you meet this requirement by
- allowing for multiple levels of access on a need-to-know basis
- preventing simultaneous log-ons of the same user ID at different workstations
- locking out users who attempt multiple unsuccessful log-ons
- offering automatic log-off capabilities
If you don't know whether your software has these capabilities or how to set up these advanced systems, you may be putting your patients' ePHI at risk.
Tip: Ask your vendors whether they need remote access to your software for product support or upgrades after installation. If they do, check whether you can restrict access to ePHI. If not, require business associate contracts from those vendors.
- Logging capabilities.The HIPAA security rule's audit controls standard requires you to record and examine activity on computers or in software programs that contain or use ePHI. Many software programs can do this if configured properly. For example, one picture-archiving system Anderson looked at could log data accesses and transfers according to user ID and time of access or transfer.
Don't worry if no one at your facility knows how to set up these systems. Most vendors will do this if asked.
- Storage and transmission security. Check for security features when software users store or transmit ePHI. Most software will allow users to transmit ePHI-either via fax, e-mail, or file copies, says Anderson. But it may not always encrypt ePHI or prevent others from intercepting or tampering with it.
- Additional security features. Question vendors about the additional security features their software offers, such as
- upgrades and security patches
- antivirus solutions
- vendor security recommendations, such as configuration checklists and security best practices
- backup processes
Tip: Ask your software vendors whether their software uses any of your operating system's security functions, suggests Peter Bartoli, founder and chief technology officer of Consolvant, a security consulting company in San Diego. Their answers should tell you whether you're dealing with a well-known security package such as Windows' Active Directory or Oracle.
This excerpt is adapted from Briefings on HIPAA.
Want to receive articles like this one in your inbox? Subscribe to HIM Connection!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- HIPAA Q&A: Level of encryption needed for email
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- Joint Commission Center announces handoff communication solutions
- Inside best practice: Reduce patient falls with a stoplight
- Identify modifiable risk factors to prevent patient falls
- Searched