Establish a Secure ePHI System
- Select an Electronic Health Records System (EHR)
- Establish written policies and procedures
- Define internal controls to safeguard the patient data
Assess the System and Data Risks
- Comprehensive analysis of all systems and data risks
- Determine existence and adequacy of written policies and procedures
-Administrative matters
-Technical systems
-Physical environment - Determine whether policies are actually enforced/review written documentation of such facts
- Examination of documents (eg)
-Contracts (HIPAA compliance assurance by suppliers)
-Personnel documents – Hiring, Termination, Disciplinary - Identify and evaluate risks to the patient data
- Identify and report system threats and vulnerabilities
Setup up a system of reassurance activities to ensure ongoing compliance with policies
- Eg – periodic updates of access passwords
- Reinforcement of employment responsibilities regarding patient data
- Assurance of license and CE renewals
Periodic Reassessment
- As a minimum – Annually
- Additionally when the practices undergoes a material change
Meaningful Use and CQM’s
- Use the EMR software to produce all needed reports in PDF form
- Store those reports as backup for certifications
- File certifications and reports related to selected Meaningful Use requirements and required CQM data