Ask the expert: What is the recommendation for allowing access to an electronic health record (EHR) through a Web interface to a provider? Should any third-party servers be involved?
HIM Connection, April 3, 2007
Want to receive articles like this one in your inbox? Subscribe to HIM Connection!
A: Before allowing access to an EHR via Web interface, it is important to reasonably ensure that the Web interface is secure and that any data transmitted via the Web interface are encrypted using at least 128-bit encryption (although 256-bit is preferable). You may employ a third-party server, but the security and privacy requirements regarding server access, administration, data transmission, etc., should be established, monitored, and enforced.
If the third-party server is managed by an entity on contract with the covered entity (CE), the CE should execute the appropriate business associate contract prior to allowing any Web-based access to the EHR. Access to an EHR via Web interface, virtual private network, or any other secure connection requires the owner of the EHR to establish appropriate authentication, authorization, access management, role-based access control, and audit policies, procedures, and practices.
Also, providers who will access the EHR must adhere to appropriate administrative and technical--as well as privacy--standards. These are generally created and communicated by the owner of the EHR. The owner should also take reasonable steps to ensure that the EHR access point on the providers' end is secure (e.g., appropriate firewalls are in place, the owner monitors access, termination notifications are forwarded quickly to the owner, etc.).
Editor's note: Chris Apgar is president of Portland, OR-based Apgar & Associates, LLC. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy, and Security Forum. You can e-mail him at capgar@easystreet.com.
Want to receive articles like this one in your inbox? Subscribe to HIM Connection!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- HIPAA Q&A: Level of encryption needed for email
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- ED-to-inpatient transfers are flawed with safety gaps
- Joint Commission Center announces handoff communication solutions
- Inside best practice: Reduce patient falls with a stoplight
- Identify modifiable risk factors to prevent patient falls
- Searched