35 Compliance Questions You Should Ask Your PM and EHR Software Vendors

If your vendors aren’t vigilant about privacy and security, you could find yourself drowning in HIT compliance woes.

These questions, adapted from the National Cyber Security Center of Excellence, cover the topics that you should ask to find the best ophthalmology practice management software for your needs. Ask a few to keep prospective vendors on their toes and reduce your risk.

Vendor Agreements

Are you willing to sign a comprehensive business service agreement?

Are you willing to confirm compliance with HIPAA Privacy and Security Rules, and willing to be audited, if requested?

Third-party Application Integration

Does my practice need to integrate the cloud-based ophthalmology EHR system with other in-house products, such as practice management software, billing systems, and email systems? If so, what are the implementation procedures and techniques used?

What security features protect the data communicated among different systems?

Personal or Device Authentication and Authorization

Do you restrict mobile device types that can access the system?

What are the security compliance polices for using my own device to access the cloud-based EHR system?

If a device is lost, stolen, or hacked, what countermeasures prevent protected data from becoming compromised?

Does the ophthalmology EHR system require a user to be authenticated prior to obtaining access to PHI?

What are the authentication mechanisms used for accessing the system?

Are user IDs uniquely identifiable?

Is multifactor authentication used? Which factors?

If passwords are used, does the vendor enforce strong passwords and specify the password’s lifecycle?

Does the system offer role-based access control to restrict system access to authorized users to different data sources?

Is the least privilege policy used?

Data Protection

What measures protect the data stored in the cloud?

What measures protect the data from loss, theft, and hacking?

Does the system back up an exact copy of protected data?

Are these backup files kept in a different, well protected location? Are they easily restored?

Does the system encrypt all ophthalmology electronic medical records while at rest?

What happens if you go out of business? Will all clinical data and information be retrievable?

Do you have security procedures and policies for decommissioning used IT equipment and storage devices that contained or processed sensitive information?

Security of Data in Transmission

How does the network provide security for data in transmission?

What capabilities are available for encrypting health information as it is transmitted from one point to another?

What reasonable and appropriate steps are taken to reduce the risk that ophthalmology electronic medical records and PHI can be intercepted or modified during transmission?

Monitoring and Auditing

Are systems and networks monitored continuously for security events?

Do you log all authorized and unauthorized access sessions, and can these sessions be audited?

Does the ophthalmology EHR system have audit control mechanisms that can monitor, record, and/or examine information system activities that create, store, modify, and transmit PHIL or ophthalmology electronic medical records?

Does the system retain copies of its audit/access records?

How do you identify, respond to, handle, and report suspected security incidents?


Do you offer the ability to activate emergency access to the ophthalmology EHR or PM in the event of a disaster?

Do you have policies and procedures to identify the role of the individual responsible for accessing and activating emergency access settings, when necessary?

Do you provide recovery from an emergency and resume normal operations and access to patient health information during a disaster?

Customer and Technical Support

What is included in the customer support / IT support contract and relevant service level agreements?

Can you provide a written copy of your security and privacy policies and procedures (including disaster recovery)?

How often do you release new features? How do you deploy them?

Ophthalmology EMR software is constantly evolving. Is your current software keeping up? If not, it might be time for a switch. Make sure myCare iMedicWare and Integrity are on your list. We’ve got answers to all of your questions.

Let’s Connect

Drop a line for our sales representative to get in touch with you

  • This field is for validation purposes and should be left unchanged.

Latest Article


Your Complete Guide to Patient No-Shows

  • 29 Jun 2021

How much are cancelled appointments and no-shows costing you? Nothing is worse than being stood up — especially when it affects your bottom line. Patient no-shows are a longs...


What Scheduling Strategy is Right For Your Practice? 3 Options

  • 28 Jun 2021

3 Options That Decrease Wait Times, Shorten Turnaround, and Maximize Efficiency In today’s competitive climate, many doctors are content to have a steady stream of patients each...


5 Key Benchmarks That Make or Break Your Ophthalmology Practice

  • 27 Jun 2021

Is your ophthalmology as profitable as it can be? Numbers alone can only offer so much insight, but comparing your practice against widely agreed-upon benchmarks can show your industry position and...