35 Compliance Questions You Should Ask Your PM and EHR Software Vendors

lifeguard

If your vendors aren’t vigilant about privacy and security, you could find yourself drowning in HIT compliance woes.

These questions, adapted from the National Cyber Security Center of Excellence, cover the topics that you should ask to find the best ophthalmology practice management software for your needs. Ask a few to keep prospective vendors on their toes and reduce your risk.

Vendor Agreements

Are you willing to sign a comprehensive business service agreement?

Are you willing to confirm compliance with HIPAA Privacy and Security Rules, and willing to be audited, if requested?

Third-party Application Integration

Does my practice need to integrate the cloud-based ophthalmology EHR system with other in-house products, such as practice management software, billing systems, and email systems? If so, what are the implementation procedures and techniques used?

What security features protect the data communicated among different systems?

Personal or Device Authentication and Authorization

Do you restrict mobile device types that can access the system?

What are the security compliance polices for using my own device to access the cloud-based EHR system?

If a device is lost, stolen, or hacked, what countermeasures prevent protected data from becoming compromised?

Does the ophthalmology EHR system require a user to be authenticated prior to obtaining access to PHI?

What are the authentication mechanisms used for accessing the system?

Are user IDs uniquely identifiable?

Is multifactor authentication used? Which factors?

If passwords are used, does the vendor enforce strong passwords and specify the password’s lifecycle?

Does the system offer role-based access control to restrict system access to authorized users to different data sources?

Is the least privilege policy used?

Data Protection

What measures protect the data stored in the cloud?

What measures protect the data from loss, theft, and hacking?

Does the system back up an exact copy of protected data?

Are these backup files kept in a different, well protected location? Are they easily restored?

Does the system encrypt all ophthalmology electronic medical records while at rest?

What happens if you go out of business? Will all clinical data and information be retrievable?

Do you have security procedures and policies for decommissioning used IT equipment and storage devices that contained or processed sensitive information?

Security of Data in Transmission

How does the network provide security for data in transmission?

What capabilities are available for encrypting health information as it is transmitted from one point to another?

What reasonable and appropriate steps are taken to reduce the risk that ophthalmology electronic medical records and PHI can be intercepted or modified during transmission?

Monitoring and Auditing

Are systems and networks monitored continuously for security events?

Do you log all authorized and unauthorized access sessions, and can these sessions be audited?

Does the ophthalmology EHR system have audit control mechanisms that can monitor, record, and/or examine information system activities that create, store, modify, and transmit PHIL or ophthalmology electronic medical records?

Does the system retain copies of its audit/access records?

How do you identify, respond to, handle, and report suspected security incidents?

Emergencies

Do you offer the ability to activate emergency access to the ophthalmology EHR or PM in the event of a disaster?

Do you have policies and procedures to identify the role of the individual responsible for accessing and activating emergency access settings, when necessary?

Do you provide recovery from an emergency and resume normal operations and access to patient health information during a disaster?

Customer and Technical Support

What is included in the customer support / IT support contract and relevant service level agreements?

Can you provide a written copy of your security and privacy policies and procedures (including disaster recovery)?

How often do you release new features? How do you deploy them?

Ophthalmology EMR software is constantly evolving. Is your current software keeping up? If not, it might be time for a switch. Make sure myCare iMedicWare and Integrity are on your list. We’ve got answers to all of your questions.

Leave a Reply

Your email address will not be published. Required fields are marked *