§170.302 (o)

Access control

§170.302 (p)

Emergency access

§170.302 (q)

Automatic log-off

§170.302 (r)

Audit log

§170.302 (s)

Integrity

§170.302 (t)

Authentication

§170.302 (u)

General encryption

§170.302 (v)

Encryption when exchanging electronic health information

Confidentiality

Question

OMNI normal settings

Comments

Reviewed

What new electronic health

Local network-connected

information has been introduced

computers have no PHI on

into my practice because of EHRs?

them. The data is stored in a

Where will that electronic health

secure hosted environment

information reside?

that meets all the ONC-ACTB

criteria

Who in my office (employees,

Those designated as

other providers, etc.) will have

Super Users will create

access to EHRs, and the electronic

access and set permissions

health information contained

for all other users.

within them?

Should all employees with access

Each employee in a practice

to EHRs have the same level of

has unique and individual

access?

permissions, as set by the

Administrator. These

permissions govern access

available to the user.

Will I permit my employees to

No Internet-connected

have electronic health information

computer or device houses

on mobile computing/storage

PHI locally. There is no local

equipment? If so, do they know

data to keep secure.

how, and do they have the

Exception: scanned

resources necessary, to keep

documents will be created on

electronic health information

local computers, that need

secure on these devices?

uploading to the EHR

system. Once uploaded, the

local copy of these scanned

image files are deleted.

How will I know if electronic

A designated person in the

health information has been

practice can review the Audit

accidentally or maliciously

Log for the practice, or for a

disclosed to an unauthorized

specific patient, at any time.

person?

When I upgrade my computer

With a server-based EHR, no

storage equipment (e.g., hard

PHI is stored locally except on the secure server database.

drives), will electronic health

Upgrading local machines

information be properly erased

does not leave any PHI

from the old storage equipment

exposed.

before I dispose of it?

Are my backup facilities secured

The server based EHR manages the cloud

(computers, tapes, offices, etc.,

Based backup by using the encrypted I-Drive system. Additional local backups

are also recommended.

used to backup EHRs and other

health IT)?

Will I be sharing EHRs, or

Data that is shared through a

electronic health information

Health Information Exchange

contained in EHRs with other

will be via security policies

health care entities through a

stated in the product, and

HIE? If so, what security policies

which much be agreed to in

do I need to be aware of?

order to access these

services.

If my EHR system is capable of

The entire Office Medicine

providing my patients with a way

EHR platform is ONC-ACTB

to access their health

Certified to meet all the

record/information via the

security and data-exchange

Internet (e.g., through a portal),

standards specified. The

am I familiar with the security

connected Patient Portal

requirements that will protect my

utilizes the same

patients electronic health

level of encryption,

information before I implement

authentication, and integrity-

that feature?

checking that the EHR does.

Will I communicate with my

Patient communications

patients electronically (e.g.,

through the linked Patient

through a portal or email)? Are

Portal platform is secured.

No PHI will be

those communications secured?

exposed through

unsecured email.

If I offer my patients a method of

Patient authentication on

communicating with me

login to the Portal identifies

electronically, how will I know that

the patient uniquely.

I am communicating with the right

Communication of any

patient?

messages from/to this

patient is ensured by the

tight EHR-Portal linkage.

Integrity

Question

OMNI normal settings

Comments

Reviewed

Who in my office will be permitted

The clinician can create and

to create or modify an EHR, or

edit chart notes. Once

electronic health information

signed, no one can alter

contained in the EHR?

them, though addenda can

be appended.

How will I know if an EHR, or the

All activity in a chart is

electronic health information in

recorded in an Audit Log,

the EHR, has been altered or

which is a plain-English

deleted?

record of access,

modification and deletion of

data in a chart.

If I participate in a HIO, how will I

External data imported into

know if the health information I

the EHR is kept separately

exchange is altered in an

from in-practice created

unauthorized manner?

data. All data, in-house and

imported, is tracked in the

Audit Log

If my EHR system is capable of

Clinician-created data, and

providing my patients with a way

patient-created data are kept

to access their health

separately. All activity,

record/information via the

whether clinician-created or

Internet (e.g., through a portal)

patient-created, is tracked in

and I implement that feature, will

the Audit Log.

my patients be permitted to

modify any of the health

information within their record? If

so, what information?

Availability

Question

Omni normal settings

Comments

Reviewed

How will I ensure that electronic

With a server-based EHR,

health information, regardless of

access can be achieved from

where it resides, is readily

any Internet-connected

available to me and my employees

computer, from any location,

for authorized purposes, including

at any time. No locally-

after normal office hours?

installed client software is

needed. No VPN or other

special connectivity is

needed.

Do I have a backup strategy for my

Since the EHR is hosted on

EHRs in the event of an

commercial-grade secure

emergency, or to ensure I have

servers, up-time is ensured

access to patient information if

per the Service Level

the power goes out or my

Agreement. Any local

computer crashes?

computer can be used to

access this service, and local

computer failure can be

interchanged with any other

computer.

If I participate in a HIO, does it

The Office Medicine server

have performance standards

hosting system is run on

regarding network availability?

commercial-grade servers,

protected by a Service Level

Agreement.

If my EHR system is capable of

Patient access to their Portal is server based and available

providing my patients with a way

24/7.

to access their health

record/information via the

Any secure communication

Internet (e.g., through a portal)

between the clinician and

and I implement that feature, will I

patient will have response

allow 24/7 access?

expectations set by

notifications within the

product.

Administrative safeguards

Question

OMNI normal settings

Comments

Reviewed

Have I updated my internal

Periodic review of the Risk

information security processes to

Analysis, with comments and

include the use of EHRs,

check / sign / date of each

connectivity to HIOs, offering

item accomplishes this.

portal access to patients, and the

handling and management of

electronic health information in

general?

Have I trained my employees on

Each user undergoes training

the use of EHRs? Other electronic

within the product, and can

health information related

elect to engage online

technologies that I plan to

training and support with

implement? Do they understand

Office Medicine (offered

the importance of keeping

free).

electronic health information

Employee sanction policy is

protected?

reviewed with each

employee, and placed in

personnel record.

Have I identified how I will

Establish periodicity by in-

periodically assess my use of

house policy, and conduct

health IT to ensure my safeguards

review of Identifying

are effective?

Safeguards. Check / sign /

date each item to document

this.

As employees enter and leave my

Practice Administrator will

practice, have I defined processes

manage the user list within

to ensure electronic health

the EHR, and will de-activate

information access controls are

access to former employees.

updated accordingly?

Have I developed a security

Only one instance of a user’s

incident response plan so that my

login is supported at a time,

employees know how to respond

so any login using stolen

to a potential security incident

credentials can be identified.

involving electronic health

If EHR access using stolen

information (e.g., unauthorized

credentials is identified, the

access to an EHR, corrupted

practice will:

electronic health information)?

1.  Reset the password for

that user, or de-activate

that user

2.  Review the Audit Logs to

identify patients

accessed by that user

3.  Notify the patients

whose records were

breached within 30

days, in compliance with

HIPAA standards

Have I developed processes that

The hosted EHR can store

outline how electronic health

patient information ad

information will be backed-up or

infinitum, and manages all

stored outside of my practice

backup. No local backup is

when it is no longer needed (e.g.,

needed.

when a patient moves and no

Patients can be flagged as

longer receives care at the

Inactive, as needed.

practice)?

Have I developed contingency

Since the EHR is server-based,

plans so that my employees know

Internet connectivity is

what to do if access to EHRs and

required. If there is a lapse in

other electronic health

Internet connection from the

information is not available for an

main source, alternate

extended period of time?

methods of access will be

implemented (e.g. wireless

cell phone access), as

technology allows.

Have I developed processes for

External electronic data

securely exchanging electronic

exchange will occur only

health information with other

through the channels

health care entities?

allowed within the product.

Security for this exchange is

documented within the

product, and referenced in

the Licencing Agreements.

Have I developed processes that

Patient access to their PORTAL is

my patients can use to securely

granted one-at-a-time, via

connect to a portal? Have I

verified patient email. One of

developed processes for proofing

the three credentials needed

the identity of my patients before

for patient access is given to

granting them access to the

the patient in-person, and

portal?

the remaining two

credentials are emailed. The

patient must then change

his/her password upon first

usage.

Do I have a process to periodically

Office Medicine is server-

test my health IT backup

hosted on commercial-grade

capabilities, so that I am prepared

secured servers. Data backup

to execute them?

is done centrally, and no

local backup of data is

needed.

If equipment is stolen or lost, have

Since no PHI is contained on

I defined processes to respond to

local computers, the loss or

the theft or loss?

theft of equipment is simply

property loss. Property loss is

managed through routine

theft-and-loss processes (e.g.

police reporting, insurance

reporting).

Physical safeguards

Question

OMNI normal settings

Comments

Reviewed

Do I have basic office security in

Practice manager to address

place, such as locked doors and

and verify this.

windows, and an alarm system?

Are they being used properly

during working and non-working

hours?

Are my desktop computing

Office Medicine implements

systems in areas that can be

auto-logoff after a period of

secured during non-working

inactivity. However, the

hours?

entire computer desktop

should be Locked at the end

of a work session.

Are my desktop computers out of

Verify physical location of

the reach of patients and other

computers, make sure

personnel not employed by my

screens are not visible by

practice during normal working

those not working at the

hours?

station.

Is mobile equipment (e.g.,

Office Medicine implements

laptops), used within and outside

auto-logoff after a period of

my office, secured to prevent theft

inactivity. Upon leaving the

or loss?

premises, computers should

be shut down or hibernated,

with password re-launch

required.

Do I have a documented inventory

With Office Medicine, any

of approved and known health IT

Internet-connected

computing equipment within my

computer can be used to

practice? Will I know if one of my

connect to the EHR. Per-user

employees is using a computer or

access (regardless of physical

media device not approved for my

machine or location) is

practice?

captured in the Audit Log.

It is good business practice to

inventory in-house

equipment, and is advised.

Do my employees implement basic

Office Medicine implements

computer security principles, such

auto-logoff after a period of

as logging out of a computer

inactivity. However, the

before leaving it unattended?

entire computer desktop

should be Locked at the end

of a work session.

Technical safeguards

Question

OMNI normal settings

Comments

Reviewed

Have I configured my computing

The Office Medicine EHR

environment where electronic

maintains security on the

health information resides using

server. There is no local PHI.

best-practice security settings

(e.g., enabling a firewall, virus

Exception: local copies of

detection, and encryption where

scanned-document files, and

appropriate)? Am I maintaining

local copies of Reports that

that environment to stay up to

may have been output may

date with the latest computer

contain PHI. They should

security updates?

1.  Be deleted when

finished with them

2.  Should only be on

machines with up-to-

date antivirus and

firewall software

installed

3.  If these files are to

remain on a local

machine, the files

should be encrypted

Are their other types of software

Since Office Medicine is

on my electronic health

accessed through a simple

information computing equipment

server browser, and no local

that are not needed to sustain my

PHI resides on the client

health IT environment (e.g., a

machine, there is no

music file sharing program), which

limitation to other software

could put my health IT

that may reside on that client

environment at risk?

machine.

Is my EHR certified to address

Office Medicine is ONC-ACTB

industry recognized/best-practice

Certified to conform to

security requirements?

industry recognized best-

practice with respect to

security.

Are my health IT applications

Only a server browser (any

installed properly, and are the

browser, any platform) with

vendor recommended security

an Internet connection is

controls enabled (e.g., computer

required for Office Medicine.

inactivity timeouts)?

Is my health IT computing

Up to date security on any

environment up to date with the

local client machine is

most recent security updates and

advised. However, access to

patches?

PHI via the Office Medicine

server browser is secured by

the server and forces the

browser to implement secure

communication methods.

Have I configured my EHR

Office Medicine requires 3-

application to require my

key authentication, unique

employees to be authenticated

for each user, in order to

(e.g., username/password) before

access the system. Only one

gaining access to the EHR? And

such session can be active at

have I set their access privileges to

any given time.

electronic health information

The Practice Administrator

correctly?

sets (and edits) permissions

for each user in the practice

If I have or plan to establish a

Patient access to the portal is

patient portal, do I have the

granted one-at-a-time, via

proper security controls in place to

verified patient email. One of

authenticate the patient (e.g.,

the three credentials needed

username/password) before

for patient access is given to

granting access to the portal and

the patient in-person, and

the patient’s electronic health

the remaining two

information? Does the portal’s

credentials are emailed. The

security reflect industry best-

patient must then change

practices?

his/her password upon first

usage.

The portal uses the same

secure server system

that the Office Medicine EHR

uses, and is certified to

conform to the same level of

privacy and security that the

EHR implements

If I have or plan to set up a

Since the Office Medicine EHR

wireless network, do I have the

is server based, all access is

proper security controls defined

secured over the Internet.

and enabled (e.g., known access

Local in-house wireless

points, data encryption)?

access is no different than

access from home, or

elsewhere, and needs no

extra security layer in order

to achieve a secure

connection.

Have I enabled the appropriate

Periodic review of the Audit

audit controls within my health IT

Log will be implemented and

environment to be alerted of a

documented.

potential security incident, or to

examine security incidents that

have occurred?

Audit Log Review

Date Audit Log was

Name of reviewer

Findings

Action needed

reviewed