Health Information Management

Ask the expert: What is the recommendation for allowing access to an electronic health record (EHR) through a Web interface to a provider? Should any third-party servers be involved?

HIM-HIPAA Insider, April 3, 2007

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

A: Before allowing access to an EHR via Web interface, it is important to reasonably ensure that the Web interface is secure and that any data transmitted via the Web interface are encrypted using at least 128-bit encryption (although 256-bit is preferable). You may employ a third-party server, but the security and privacy requirements regarding server access, administration, data transmission, etc., should be established, monitored, and enforced.

If the third-party server is managed by an entity on contract with the covered entity (CE), the CE should execute the appropriate business associate contract prior to allowing any Web-based access to the EHR. Access to an EHR via Web interface, virtual private network, or any other secure connection requires the owner of the EHR to establish appropriate authentication, authorization, access management, role-based access control, and audit policies, procedures, and practices.

Also, providers who will access the EHR must adhere to appropriate administrative and technical--as well as privacy--standards. These are generally created and communicated by the owner of the EHR. The owner should also take reasonable steps to ensure that the EHR access point on the providers' end is secure (e.g., appropriate firewalls are in place, the owner monitors access, termination notifications are forwarded quickly to the owner, etc.).

Editor's note: Chris Apgar is president of Portland, OR-based Apgar & Associates, LLC. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy, and Security Forum. You can e-mail him at

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular