emory web design certificate review
good afternoon, ladies and gentlemen. i wouldlike to welcome you to the webcast titled: privacy andsecurity - what questions should you ask your vendor. if you have questions at any timeduring the presentation, you may type your question into the q&a box located at the bottom of the interface, belowthe slides. click the submit button to send your question directly to the speaker. questionswill be collected and answered accordingly at the end of today's presentation. thereare two different options for participating in today's webcast. option one will allowyou to view the presentation on your computer and listen to the audio from your speakers.option two will allow you to view the presentation
on your computer and listen to the audio fromyour phone. please make sure you only select one option and you follow the instructionslisted. if you are having difficulties, please close out of the presentation and select theoption you would like to use. if you require technical assistance, please dial 800-264-7882,and reference the confirmation number: 30214296. please note this conference is being recorded. at this time it is my pleasure to turn theprogram over to mr. michael banyas. mr. banyas, you may begin. good afternoon, everyone. on behalf of thehealth resources and services administration, i would like to welcome on this friday afternoonto our latest health it and quality webinar
entitled: privacy and security - what questionsshould you ask your vendor. before we -- before i turn the web -- beforei turn the introductions over to suma nair, the director of the bureau primary healthcare's office of quality and data, i would like to just provide a few announcements. first, the hrsa -- hrsa's office of healthinformation technology and quality has additional health it and quality toolboxes and resourcesposted on the hrsa.gov\healthit website, as well as the hrsa.gov\quality website. additionalhealth it and quality questions can be sent to the hrsa health -- to the healthit@hrsaemail address. next, new items will be -- new items comingto the hrsa health it website include a new
quality -- a new quality improvement granteespotlight featuring first health home services. this quality improvement spotlight featuresone of hrsa's office of the advancement of telehealth's grantees and how they have usedtelehealth and telehomecare health services to reduce hospitalizations and improved qualityusing telemedicine. next, hrsa celebrates national health it weekfrom september 12th to the 16th. please check out the hrsa health it website for more informationon hrsa's health it initiatives for that week. hrsa's health it -- hrsa's next health itand quality webinar: impact of icd 10 on safety net providers will take place on friday, september23rd at 2 pm. registration is now open on the hrsa health it and quality websites. lastmonth's webinar: tips for generating and utilizing
quality data reports using health it is nowavailable online on both the hrsa health it and quality website. we hope that you cancheck out this fantastic technical assistance resource which contains safety net provider-- which contain safety net providers providing guidance on this topic. lastly, hrsa's call -- hrsa has a call forpapers for an issue of the journal of health care for the poor and the underserved, andwe are looking for papers for the journal entitled: evidence for informing the nextgeneration of quality improvement initiatives - models, methods, measures and outcomes.abstracts are due on september 1st. any questions could be directed to the ohitqpapers@hrsa.govemail address or see the hrsa quality improvement
website for more information. i would now like to turn the webinar overto suma nair, the director of quality and data in the bureau of primary health care,who will introduce the speakers. great. thank you, michael. i would like towelcome all of hrsa's grantees and members of the safety net community to this healthresources and services administration health information technology and quality technicalassistance webinar. today's presentation is entitled: privacy and security - what questionsshould you ask your vendor, and we'll provide examples of how safety net providers can addressthe various privacy and security requirements. when implementing a health it system, it'svital for health care providers to know which
questions to ask their vendors. health itsecurity and privacy issues are complex and are critical for providers. one system breachor unauthorized access to patient data can adversely affect a health care provider'spractice, violating patient's trust and the provider and leave the provider liable toinvestigation by state and federal regulators. today's speakers will have firsthand workingexperience with safety net providers on hit and privacy issues, they will explain theaspects of hit security and privacy that are relevant for providers, how to address breachesthat can adversely affect the practice, and the presenters will also share how they workwith safety net providers to prevent unauthorized data breaches.
before i introduce this afternoon's presenters,i would like to read a disclaimer. hrsa would like to add that this webinar is intendedto serve as a technical assistance resource based on the experience and expertise of theindependent consultant and hrsa grantees and that its contents are solely the responsibilityof the authors and do not necessarily represent the official views of hrsa. in addition, hrsadoes not endorse any health it vendors or software systems, including the health itsystems featured in this webinar. now, i am pleased to present the -- introducethe presenters for this afternoon. mr. richard sanders, advises a variety ofhealth care providers, including the georgia primary care association, on a broad rangeof issues including business transactions,
fraud and abuse compliance, certificate ofneed issues, credentialing, medicare reimbursement, antitrust policy, legislative activities andassisting providers in their relationships with federal and state regulatory agencies.he also serves on the audit committee of the board of directors of mcg health system inaugusta, a parent of georgia's oldest medical school and second largest hospital. mr. sandersis a graduate from duke university and earned his juris doctor degree from the emory universityschool of law in 1996. he also currently serves on the adjunct faculty at emory universityand teaches courses in business and regulatory law. next, we will have mrs. holly schlenvogt,started working with the wisconsin health
information technology extension center infebruary as a health it specialist. she's the privacy and security lead and conductsthe hipaa security risk analysis for organizations needing assistance in meeting this meaningfuluse objective. prior to this role, she was the privacy officer for an integrated community-basedhealth care system. in that role she developed and oversaw all privacy and security initiatives.she has over 20 years of experience in diverse health care in a variety of patient care settingsand is also a board member of the hipaa collaborative of wisconsin. she has a masters of sciencein health services administration and a bachelor of arts in psychology with a certificate inethnic studies as well as a certificate in program management.
and finally, we have laura rosas. ms. rosashas recently joined the staff of the chief privacy officer at the office of the nationalcoordinator for health it. previously she was at hrsa's bureau of primary health carewhere she worked on health it issues and served as the project officer for health center controllednetworks. prior to hrsa, she was the project officer to onc for the regional extensioncenters in the mid-atlantic region, as well as led the regional extension center privacyand security community of practice. ms. rosas has been working on hit and ehr issues since2007 when she joined the primary care information project at the new york city department ofhealth and mental hygiene. the pcip is this primary care providers in medically underservedcommunities, adopt prevention oriented ehrs
to over 2,000 providers to-date. as a directorof policy and compliance she developed and oversaw both internal and external privacyand security programs for this groundbreaking project. previous to pcip, laura served asa director of compliance and privacy at a hospital system and was a compliance managerof a large federally qualified health center, both in new york state. laura holds a ba inpolitical science and a jd and mph from the university of pittsburgh. i would like to thank our presenters and allof our grantees in the safety net community for joining us today at this event. and atthis point i would like to turn the event back to norc.
michael banyas: and mr. sanders, you're freeto go ahead. richard sanders: right. thank you so much,and thank you, sue*, for your introduction. and i would like also to thank mike banyasfor inviting me to participate in this webinar today. as he mentioned, we represent the georgiaassociation for primary health care, and in that capacity work with safety net providersall over our state regarding privacy and security issues, and specifically focusing on electronichealth information systems and how they can be more secure and private, in compliancewith the federal laws that are applicable and to the benefit of patients both from asatisfaction point of view and from a quality point of view. we'll move on to slide 6.
my initial task before, laura and holly givetheir parts of the presentation today, is to give everybody a quick overview of theprivacy and security rules. as a reminder, when we talk about hipaa, we refer to a lawpassed by congress back in 1996, the health insurance portability and accountability act,which i always take pains to remind folks only has one p. and so, the surest sign youcan know -- show the folks in your organization you know what you're doing is make sure youspell hipaa with just one p. but when we talk about hipaa compliance, that's really nottechnically accurate because we are ultimately given two sets of rules from the departmentof health and human services that provide the details of how safety net providers haveto comply. the first was the privacy rule
issued by hhs and effective in april of 2003,specifically april 14th, and that covers information related to patients that is in all forms.and so when we talk about hipaa privacy compliance we have to worry about not only verbal communicationregarding patients but written, like in the form of patient medical records, as well aselectronic information. but next slide. the security rule is the part of, i guess,the regulatory environment created by hhs here that deals specifically with health informationtechnology. and so one way to think about is that all information in your organizationis covered by the privacy rule, just the electronic information is covered by the security rule.having said that, there's a significant amount of overlap because the way that you complywith the security rule often has implications
for the protection of information in bothhard copy form, like a chart, or in verbal form, like over a telephone call. and so specifically,the security rule is, i guess, purpose, is to safeguard patient information that it'sin electronic format. looking at slide 8, we do that in three ways.the security rule requires that every covered entity who is covered under the privacy rule,and that's defined ultimately by hipaa, the statute, the security rule requires that organizationsadopt safeguards in three different categories: administrative, physical and technical. nowthe administrative safeguards, looking at slide 9, the administrative safeguards ultimatelyare going to be important in designing the arrangement that you have with your emr vendorsand how you set up your emr system, because
many of the things that -- or the componentsof an emr system are going to be included in the policies and procedures that ultimatelyget adopted by your organization and that ultimately get implemented by the emr vendor.for example, the first sub-bullet point you see here, the security management process,is important when you're talking about an emr system and how you work with those vendorsbecause the vendor's going to need to know, all right, who has access to this. and whenwe have the kind of set of users defined in your organization how do we know when thataccess right is turned off. that's the next, i guess, the fourth one down, informationaccess management. and so these are the kind of things that youprobably have already worked out in your organization
from a physical point of view. in other words,who has the keys to the front door, and when do they give those keys back? you know, isit date of retirement or when they go part-time, do they, you know, give the give the keysback when somebody is terminated? for sure, you take the keys back. but that same kindof logic, that same kind of management decision-making process applies in an electronic health informationtechnology setting as well. and so, not only does the security rule guide you in how tomake those decisions, they get reflected in the contracts with the emr vendors, or certainlyin the way that the emr vendor ultimately implements their responsibilities under thatcontract. number 10 -- slide 10 is important becausemany times, many times in contracting with
vendors, contingency plans are not considered- and we'll come back to this later on when we talk about the nuts of bolts of contractingwith an emr vendor. but contingency plans are really important. you know, every partof the country has different kind of environmental threats to its emr system. here in the south,we deal regularly with two things: hurricanes and tornadoes, and represented folks on thegulf coast of florida and alabama, and frankly, representing folks in central alabama whohad those terrible tornadoes earlier this spring. you know, it's a tough time to findout that your information system isn't backed up properly when your office is in ruins andyour organization didn't have a contingency plan for where the server was backed up orwhere the, you know, copies of records were
maintained offsite. and so, that's why hhsput a contingency plan requirement in the security rule to protect those records. i'm going to skip over the -- well, you knowwhat, let's go to slide 11, just real quick. the physical safeguards are not as importantwhen it comes to health information technology. although work station use and security isalways a big one. for most safety net providers, there's usually a place in your office that'sdescribed as a nurse's station. whether it's just an area of a particular location wherethe nurse sits at a desk or whether it's a formal, you know, chest-high counter witha console behind it and nurse -- a nurse or nurses work, those nurses' stations are kindof the hive of electronic phi, and making
sure that your emr vendor understands thatthat area is not only important from a privacy point of view and security point of view,but, you know, potentially an area of risk because there's so much traffic going by there.that's important to convey at the outset of your relationship with the emr vendor. now, our conversation today is going to focusprimarily on federal law and the rules that were issued by hhs under that federal law.but looking at slide 12, it's also important to note that we've got a bunch of people fromall over the country here, and that your state laws may sometimes coincide with the federalrules on this area, and sometimes maybe more strict and more, i guess, protective of electronicphi. i'll give you two examples here, one
from california and one from florida. theimportant thing to note is that when you're contracting with an emr vendor that you understandthat the vendor understands that the obligations that they're used to dealing with at the federallevel aren't the whole cup of tea. that at some point they're going to need to checkstate laws to make sure that you're compliant with them as it pertains to your electronicmedical record system. by the way, as just a quick housekeeping note,i forgot to say this at the outset, although we are a law firm and certainly work withplenty of safety net providers, my comments today and these slides should not be construedas legal advice. they were here on a educational capacity today and not as your counsel.
looking at slide 13, they're the last kindof category of the security rule, is the technology standards. and you see here that there's alot of overlap with the administrative safeguards, like access control - who gets in the network,who gets audit control and who has the right to audit electronic medical records. and thena big issue which folks have a lot of questions about is, transmission security. another wayof saying that is, do we have to encrypt emails that include patient information. we'll talkabout that more as we get into the details of the contracting process. but i'm goingto stop here and hand things off to our next presenter. michael banyas: ms. rosas?
laura rosas: i was on mute, sorry. michael banyas: no problem. laura rosas: well, thank you, everybody. thanksfor being here. thank you so much for that introduction. and my presentation really isgoing to concentrate on questions you want to ask your vendor and looking at this froma health center, rural health clinic perspective of looking at the many choices out there interms of er*, ehr solutions. so this slide i had developed several yearsago, and it's still the way i think about security and privacy, and, you know, it'sa castle with motes around it and the first mote is policies and procedures and training.and i know from years of doing compliance
that whenever i say policies and procedureseveryone's eyes glaze over, but i can tell you from experience that when you have a breachand you have it sometimes kind of emergency, that's the first thing people want to turnto - what did we agree to do back before this emergency occurred. and all of the rest ofthese elements of privacy and security will fail if you do not have updated policies andprocedures and training for your staff on those. otherwise everything else begins tobreak down. after policies and procedures you want to think about physical security,things like, where are your servers kept, are they near an open door, are they accessibleto the public, are they in a climate controlled room? i have had experience where serverswere in a room where the air conditioning
broke and we lost months of emails. i've seensituations like that. you want to make sure that there's access controls that are in theehr and also on the computers that prevent people from going to portions of a recordthey shouldn't be in. for example, the receptionist should not have access to the whole record- we'll talk about that a little bit later and holly will be expanding on that. you wantto have audit features enabled and properly configured so that you can see who's accessingthis and do that regularly. you want to have a network that is secure that people can'tjust get on. you want to make sure that it's encrypted correctly and that there are firewalls.you want to make sure that you've got a backup and recovery system. and you're going to needa policies and procedures certainly that's
going to address that. who is responsiblefor that? who is responsible for testing it? often backing up is easy, recovering can bemuch harder. and then of course encrypting, encrypting data in transmission. and very,very importantly, encrypting mobile devices, that all mobile devices should be encrypted- and we'll talk a little bit about that. so where you really want to begin is assessingyour organization. you know, are you a health center in a rural area of an urban area? doyou have broadband or a really fast, reliable internet service. that's really going to affectyour hosting solution, it may affect upgrades, it'll affect perhaps the equipment. that'sone of the first things you want to ask yourself before you even talk to vendors. i mean areyou going to be using mobile devices? do you
envision having providers with laptops andtablets? are they going to be trying to bring their own and you're going to let those onyour network? how computer savvy is your staff? do they regularly use computers already? doyou have staff that are not comfortable with computers? now you may want to think abouthaving, and i know we did this at one of my health center where we had training that waskind of ongoing, where we had set up a little computer area and staff could come in andtake courses once every couple of weeks and get familiar with new applications - and thatwas great for both current staff and staff that you're hiring. and are you planning onjoining a health information exchange, or do you have one in your state that's reallyfunctioning well and that's able to exchange
information that you're going to be tryingto do lab interfaces through that? these are some of the questions you want to ask. another great question is, are you part ofa health center controlled network or regional extension center? you know, you may know thathealth center control networks are doing a lot of hosting solutions and a lot of implementationassistance, some of them also are regional extension centers. regional extension centersor recs were granted funding by onc to provide implementation and technical assistance tocommunity health centers and practices and small providers all over the country. thereare 62 of them. they're everywhere. there's also 62 hccns (or health center controllednetworks). they can really help with a lot
of the difficulty around training and implementation.many of them have contracts with ehr solutions at a reduced cost or they've been able tonegotiate for additional services. so if you can, you know, determine if there's one ofthese in your area, you may really be able to gain a lot of benefit and save yourselfa lot of pain and cost as well. are you thinking about how you're going to allow patients toaccess their own personal health information? a lot of ehr solutions have a patient portal.often it's at additional cost. sometimes if you go through an rec or an hccn, you canget that feature included at a reduced or included even without an additional cost.so are you thinking about using those to help your patients or are you thinking about havingan interface in some way. so that's another
thing you want to think about. when you're -- the next step after you'vedone either an rfi, or maybe you've worked with an rec or an hccn, and they have maybea couple of solutions you want to look at and then you have to make a choice, the firstthing you want to do is see a demonstration after you've done the rfp or rfi process.and it's better to see a demonstration that's live at least so that you can have them walkthrough different steps. it's better to have a script when you're working with vendorsso that you can see exactly, you know, what's going -- and you want the script to be asclose as possible to what you do in the real world. so tell me, i'm a patient, i've comein and i'm at the receptionist, show me what
happens at checkout? show me what happenswhen a medical assistant comes in and how they're documenting that? show me what happenswhen a doctor wants to do a (inaudible)? how do i order a lab? how do i order an e-prescription? actually to have a script and have them walkyou through it because then you'll really be able to do side-by-side comparisons andapples-to-apples comparisons across vendors to see what that looks like, the ease of use,the usability, the interface, you know, you could be able to get a good sense of that.and i think it's really, really important to have the right people in the room and havea broad sloth [sic] of your organization. you know, if you want medical assistants,providers, nurses, it security, the front
desk, you want the billing people, you wantto see their reaction to this and they will raise questions and have a perspective thatyou could never get with one or two people. and i have seen situations where, you know,you think you're going to implement a program or you're going to implement a software pieceand it all breaks down because nobody knew the fax room was locked during certain hours,only one person took those faxes off and then did something with them, and that kind ofthing creates a lot of difficulty when you're trying to do something and a lot of that wouldbe prevented if you had the right people in the room at the beginning of these conversationsand you would get that kind of feedback. you know, you want to ask for a demonstrationof the security features. and very rarely
do people do this. and i can tell you fromexperience it's very important because there are things that you're going to want to dobecause, you know, on the phone are obviously a lot of larger organizations that -- well,you know, health centers that you're going to be wanting to set security features foryour organization. you know, you're going to want to have -- have password difficulty,that's the same across your organization. and you can do time-outs and lock-outs afterwrong password. you can set those in both ehrs so that they're the same for everybody.you're going to want to see how that is set up. role-based and user-based access, very important.and this is where you can really, you know,
prevent a lot of breaches and a lot of issueswith your ehr with unauthorized access to the record. so you want role-based accessoften if you're a larger organization where, you know, the receptionist only has accessto the part of the record that she actually needs, doctors will generally have accessto everything, the billing people have access to what they need to do their billing andyou'll want to make sure that this done correctly. and sometimes what happens is, when the vendorleaves it's not done and ehrs really vary in how granular this is. some are very, verygranular. you get like hundreds of attributes and it could take hours to set up. some arenot granular at all and they're very broad based and you're not going to really get thesecurity you need, especially if you're running
substance abuse programs or, you know, familyplanning and you really want to lock down some information. we'll talk a little bitabout that later. but you may need more granularity, and so you want to ask about those featuresand ask to see those. a couple of issues that have come up overthe last couple of years, especially with hitech and the changes to hipaa, you know,restricting bills that are for minors. you know, in many states minors can consent totheir own care and then were they consent to their own care they also control that information.so you in many cases if you're working with, for example, family planning, you will notwant to send a bill to that patient's home. you know, how do you prevent that in thatehr after vendor to show you? we have new
hitech requirements and there'll be more guidancecoming out of this in hhs in the next few months, but under the new hipaa requirement,if someone pays for something out of pocket you are required to not send information totheir health plan. it's no longer something that someone can ask and you can say no. youmust do this. how does this ehr do that? you will want to ask your vendor how it does thatand what those functions look like. and then if you are running substance abuse programsor anything where you're dealing with information that is sort of specially protected, minorconsented health information, mental health, substance abuse, you know, how can you turnthose pieces off so that other people can't access them or what are some of the featuresthat the ehr has where you can specially protect
that and make sure that it's treated correctly. you know, another issue that a lot of folksdon't ask about is the auditing functions. you know, people will say, "it doesn't havean auditing function," and the ehr vendor will like, "well, yes, of course." a lot oftimes those auditing functions are very hard to understand when you actually look at them.you look at the print outs, you'll want to see what that looks like. you'll also wantto make sure that whoever has access to that you can really limit it and really limit whatthey can do to it. so those are things that you're going to want to ask. other things people think about a lot, printingout an electronic copy of the record. you
know, not everyone's going to want an electroniccopy. you know, sure you can probably get it to a cd, what if someone wants a papercopy? what if you get a subpoena and you need to print out a paper copy, you know, how doyou actually do that? you know, the record has many, many pieces of it, you're goingto want documentation on that. and so on the left hand side of the slide you'll see whatthe documentation should look like. there should be screen shots and then there shouldbe directions under each screen shot telling you where to click and how to do this andyou're going to want that in paper and so you can give that to staff and you're goingto want this electronically as well. you're going to want to know how to do both an electroniccopy and how to do a paper copy. and then
you're going to want to know what kind oftraining they're going to provide and where that documentation's going to be and whenit gets upgraded. because sometimes when upgrades happen these things will change. you're goingto want to make sure updated information comes. and then finally, you know, we did talk abouthipaa, and as you know there's of course your state laws if they're more restrictive orgenerally going to preempt hipaa, and many states have more restrictive laws than hipaa,but you also have other laws. so you have laws around confidentiality of alcohol anddrug abuse, you have title x, then there's gina, which is regarding genetic information,and there's ferpa, which is education records. so you want to also think about those lawsand how they affect your ehr implementation.
and then finally, and this is the end [sic],but i just thought this was a great cartoon. because i think we've all heard the horrorstories or even unfortunately experienced them where medical records get faxed, andso you can see here that the -- the records were faxed but that person who received themalso did not know what was wrong with the patient. and then i've got some additionalresources and i believe these will be posted. so you can see there's lots and lots of guidancecoming out. and with that, i'm going to bring it overto holly who can talk more about security. holly schlenvogt: okay. thank you, laura.i am holly schlenvogt, and i work with whitec, which is the wisconsin regional extensioncenter. and like we said in my introduction,
i do work with doing the privacy and security-- or actually the security risk assessments for organizations in our state. the objectivesfor today are to provide some general considerations in selecting a system as well as some keysecurity related questions to ask vendors and then provide you with some additionalresources. some general considerations. the first oneis, is it a client server or a hosted asp or a web-based type application. and thereare many pros and cons to consider for each of these. a client server is one that's onyour own computer network, you're typically more in control of the hardware, the operatingsystem, the database software and upgrades. the asp is an application service provider'snetwork, and that's web-based. typically the
vendor controls the upgrades, the system changes.this type of application though you need to be really careful and consider what kind ofdata connections you have as well as do they have รข€” are there backups, backup connectionsavailable to make sure if internet service is down that you can hook up to somethingelse to have access. then, another question is, what software andhardware is needed for this application? what quantity and specifications are needed? isthis something that's provided by the vendor or is it obtained by the organization? doesthe vendor give you a list and then you go out and purchase everything? the next questionis, do you help set up the hardware and the wireless routers or did they have a thirdparty vendor do this? in fact, ask throughout
all these questions: do they have a thirdparty vendor doing these types of things for them and do they extend contracts to them?and we'll kind of talk about business associate agreements that extend those to them as well. another question is, what is the warrantyfor the software servers and hardware and is that going to help protect you along theway? how often are updates done? will the organization be notified? how are they done?are they done onsite? are they done remotely? what kind of safeguards are used during upgradesto prevent open ports social engineering, those types of things? how often is the systemdown on average? what about for -- you know, is it maybe system failures or do they alsotake the system down for scheduled repairs
or updates. and then finally, another general considerationhere is, what happens if the vendor sells to another company and perhaps they can'tpredict that but maybe they are considering selling to another company. are they consideringselling to a company in another country? and would this by any chance impact your organizationand the confidentiality of patient records? key here is really to kind of take a lookat, is the data retrievable, is it readable and is it able to be integrated into a differentelectronic health record should that vendor go out of business or your organization switchto a different vendor in the future. so those are the general considerations, andnow i'll kind of move on to more security
related topics for questions to ask. the first being system access. the first questionhere is for a role or user-based access, does the system allow the organization to createand assign different access roles to meet those minimum necessary requirements thatare so important these days? if the vendor creates and assigns these roles can organizations-- an organization have procedures in place with the vendor to only provide that accessto those users that the organization approves? also involve them, is this kind of consideringthe number of administrator accounts that they're limited within the user access. the next question is on user modificationsand terminations, does the organization or
vendor do this? my recommendation would be,and i'm not providing any legal advice in this presentation either, but to try and haveit so that the organization is able to modify and terminate user access so that you cando it very quickly and efficiently. but if the vendor does maintain that control, dothey do it immediately upon notification? are they available 24/7? because that wouldbe important if you have a sensitive issue where a user is known to be breaching informationand you need just to get their access terminated immediately. a couple of other points around system accessis, can access to certain types of records be locked, and laura talked about this a littleso i'm not going to go into it, but keeping
those state laws in mind. then the next questionis, remote access, what methods of remote access for the electronic health record arerecommended or set up for the users? is the website access-secured? there's several meansof course that you can use to grant access to this. it could be through a virtual privatenetwork or a vpn and through a citrix access, and these are encrypted and secured ways tobe able to access -- for a user to be able to access from offsite at any location thathas internet and a laptop or a computer or even a mobile device available. one otherconsideration here, more internally, is to take a look at your network access. if youuse a microsoft active directory maybe it permits only authorized computers on yourdomain or use the network switches to only
allow specific mac addresses in certain computersto be on your network. the next topic then is about authentication.what type of authentication is actually used to access the system? most often we hear ofusing a user name and password but we can use other two factor [sic] identifications.it might be where there's a fingerprint used. you could have an id badge sign-on in place.you could have a secure token where you have a little device for the users, hold thosethroughout the day and it's a randomly changing number that you use when you log into thesystem. there might be biometrics other than fingerprints involved. there might be thatproximity badge as well. does the system work with those and would it work with a singlesign-on if the organization is looking at
going into a single sign-on application. if you are using user names and password,password strengths are very important. to have those eight characters, alphanumericand require a character, that's one of the best standards out there or stronger thanthis. also consider is there a frequency that they can be changed? is it forced by the applicationor something that the organization can set up. some systems don't allow user names andpasswords to be changed at all and so that's not a very good thing. we want to be ableto have users change their passwords on a consistent basis. are they not able to use,say, the last six words -- or six (inaudible) words that the user previously, most recentlyused? are users forced to change their password
after their first login? and that's importantif the administrator especially is assigning a generic password for the user, that they'reforced to then change to their own user name -- or their own password. are these all defaultsettings and can these settings be changed by users and/or the organization or only bythe vendor? it's recommended of course that this will be something that your organizationwould be able to control and that certainly the users wouldn't be able to change thosesettings. the next topic then is auto logoff. can thesystem be set to automatically save and then logoff users after? and this is just a timethat is frequently used, 10 minutes of an activity. some organizations that i've beenexperiencing have a very hard time culturally
changing the organization to get down to 10minutes or to use any amount of auto logoff. but 10 minutes would certainly be a good placeto try to achieve. and one of the key questions behind this in there, is does the system savewhere that user was? so if the electronic health record is logging off the user aftera certain amount of inactivity, does it save where that user was and all that information?i've heard some electronic health records will auto logoff but they don't save the informationand so it's all lost and that can be very frustrating to the users as well and reallycertainly affect quality of care. and again, does the vendor set up the timeframes herefor the auto logoff or does the organization do this? so within this also on your accessto your domain, so to speak, just a side note
for you to kind of look at setting up maybewhen a user logs into the computer or the laptop, that there's auto logoff there aswell and that if you're going through a vpn or a citrix or some other application, actuallylog in the sessions, that those have time-outs. and considering then, you know, if there's,say, a 30 minute logoff because the system ehr doesn't save, then maybe have portablemedia have much less timeframes for the inactivity auto logoff to happen. let me kind of move on to encryption and integrity.and laura touched on this a little bit. it's very important of course to have encryptionin place. but the first question is really to ask where is ephi* stored? is it storedonsite? is it offsite? is it, you know, out
there in the cloud for you to access? andthen start looking at where are you encrypting it? how is it encrypted? at rest and in transit?there are many different methods out there, and i'm certainly not going to endorse anything,but there is, you know, full disk encryption, there's database encryption, we should havethings at fips 140-2 compliant for transmission, looking at the 128, that secure socket layer[sic]. there's also something as md5-sha-1 transport layer security. there's secure filetransfers, having point to point vpns, and these are a lot of different things that i'mkind of tossing out there but there's a host of types of things that you can use. one thingwith the fips 140-2 compliance, one of my colleagues basically researched this, andwas only aware of securezip and pointsec being
the ones that were fips 140-2 compliant andare being used by government agencies. then, basically just around this, integrityof course is really important, and that's why we use encryption is basically to makesure that nobody can inappropriately access information and/or change that information.and part of the integrity is to have a firewall protecting the system, preventing trafficfrom getting into your systems and the antivirus protection, it needs to be current, it needsto be current everyday. the best practice, if it can be updated every four hours, thatwould really be ideal. having your security passwords for your systems current and updated,how frequently are those done? and then just generally asking what other kind of integritycontrols do they have. they might have some
endpoint security solutions, there might besome mcafee enterprise, cisco, csa, symantec endpoint and those types of things runningas well. and then the next topic are audit trails.and laura did talk about this a little bit. just a little more detail on the audit trails.making sure that there's enough fields in there so that you can really look at and identifywhat has happened in your systems. having the dates. what i have found useful is tohave it timed to the second. it has really helped to see how long a user was in a certainpatient's account to see was it appropriate or not, maybe they made a mistake and typedin the medical record number wrong and if they're in and immediately jumps out thenit might be not as serious of a violation.
to have in the audit trail the user name,the patient name, the patient medical record number, function in the system, where theyaccessed the information, what they actually accessed, what actions they did, did theyprint, did they view, did they change something. and if possible take a look at what computeror portable media device that they used to actually access the information. all of thesethings are really important as you go through and investigate a potential breach or inappropriateaccess into your system. can it be put on to, say an excel spreadsheet, so that youcan easily manipulate the information? another question is to ask, is the organization ableto run them themselves? some of the electronic health records systems only run them uponrequest for the organization and then they
send with the organization request. in myexperience it's been very helpful to have immediate access and be able to do it myselfto manipulate the data. another type of audit trail to have maintainedis called login monitoring, to look at who is logging in, when they're logging in, whenthe users are trying to log in, and to have alerts be sent to you if somebody's tryingto log in and they are not successful in getting in to have an alert sent to you that you knowthat somebody's trying to get in and it may be an -- a type of inappropriate access. andto lock the account, is the system able to do that after three unsuccessful attempts,for example. and then there's data storage and backups.looking at what is the source data? with the
original information, where is that stored?it's important to understand if it's stored, is it in your state, is it in another stateor is perhaps in another country? and if it is in another country, not that there's -- that'sa horrible thing, but to basically make sure you're understanding what their privacy andsecurity laws and make sure that they're protecting the information as well. with this, the data,is it separated from other client's data? sometimes they merge other organizations'data into the same server database and so it's not really just the database with yourinformation, so asking if it can be pulled out and kept separate, maybe something thatyou're interested in doing. with the data backup, it is very importantto store information and have it backed up
so that if, you know, there is an emergencysituation or a disaster, that you are able to access it. but then to find out how faraway is it stored, a good standard of practice is to have it at least 60 miles away fromwhere the source data, the original data is stored. the further the better. when is backedup? how frequently and how often are backups tested to making sure that they are testedand can be -- backups be automated. and then of course finding out how long is that datastored? and we have already talked a little bit aboutcontingency plans. i'll just bring up a couple of points on this slide. will the vendor workwith you to create a contingency plan? so they may very well have one but then you needto know how you fit into the picture. if the
system's down what numbers -- telephone numbersdo i need to call? who do i need to contact? will you give me access to this contingencyplan so that we can certainly get ahold of who we need to get ahold of should somethinghappen. how are we going to get it backed up and going and running if our facility isdown as well? does the vendor have redundant power supplies? do they have a gender -- agenerator or do they have a ups? do they test those? how often do they test that? how oftendo they test their contingency plan in general, is also another question. and then another question is to kind of talkabout, does that include facility access controls. making sure that the right people are ableto access that ephi and restore it and get
into their facilities. which really bringsme to the next line on facility security. generally asking, how is access restrictedto those who do not need access. and you'll want to consider these things especially ifthe vendor stores ephi for your organization or if they're going to be hosting the electronichealth record for you. do they restrict through the use of fees, id badge, fingerprint access?are those server rooms locked? is there a fire prevention system in place? how is thatmonitored and tested? and then there's vendor access. so if thevendor is going to be able to access your system, which they most often will to helpsupport you, how many support staff are authorized? is it everybody in their organization? thereare a lot of questions to ask around this.
starting with the implementation. is the supportaccount the same for all implementations of your ehr solution? is the password different?did they change their passwords for every implementation? how often are passwords changed?there's a couple of common vendor access methods that one of my colleagues said that he's seeing.one is that support staff have shared administrative account into the provider's ehrs, into everyprovider's ehrs. and then he sees a model where support staff use their own use -- ownlogin ida [sic] and then escalate privileges in order to support ehr. and this really isthe best solution so that you have appropriate logging and accountability. other questions, just generally, what if yourvendors are going to be accessing, do they
have all the privacy and security policiesin place that cover also hitech and meaningful use and state laws? some examples might be,do they write, post, and implement policies and procedures? what are their policies andprocedures around restricting access to the minimum necessary number of users? and aswell as restricting access to users to the minimum necessary of ephi to perform requiredresponsibilities. another policy and procedure that you'll probably want to have a look atis, how are they going to report any kind of incident or breach through your organizations?of course that active training program for them as well as how do they train you andall the security measures. and a big reminder here, because they have access to your informationor they're storing your information that you
do need to have a hipaa compliant businessassociate agreement in place with them, and the recommendation of course is to do thatwhile you're contracting with the organization. so, in general, general security questions,just kind of breeze through these for you. are all of the security features on or isthis controlled by the organization? are there any interdependencies that would affect orimpact somehow the confidentiality, integrity or availability of ephi just by putting thisin place? have all the security features been tested for reliability? what tests -- whatdo the tests show? did they show that things are performing correctly, accurately and withintegrity? what other types of security and system support do they provide and will itcost any more to have all this security? or
is it just something that's already includedin your package and does that cost that you're already paying also include the support? really quick, regarding resources. i am aboard member for the hipaa collaborative of wisconsin, and just would like to let youknow that there are a myriad of resources out there. they're free privacy and securityas well as edi transaction policies, procedures, white papers out there. we work very hardhaving volunteer networking groups that create these -- and collaborate and create thesedocuments. so i certainly encourage you to go out there. one of the topics that i talkedabout today is encryption and there's an encryption white paper that is very thorough and it walksthrough some of the encryption strategies
that you can use. and that is the end of mypresentation. thank you. richard sanders: all right. thank you, holly.this is rich sanders again. we're going to go back to slide 14. and before i get startedon my portion, thank you, holly, for introducing me to a new animal. i did not know about thehipaa cal*. but that logo is terrific. so the information that holly and laura havejust shared with you all is i think just a very kind of quick review of the kinds ofquestions that you should ask your ehr vendors, and the kind -- the scope of issues that yourehr contracts can undertake. to shift gears a little bit though and talk about this inkind of a transactional way, the financial considerations in dealing with an ehr vendorare significant. there's a broad range of
estimates out there about what it costs tostart up an ehr system. the kind of average that we've found is that on -- you know, nationwide,you can expect to spend a little over $30,000 per physician in -- starting up an emr orehr system. but that the benefits come back in direct return on investment for your safetynet organization. and those take time to, you know, manifest themselves, but ultimatelythe money that you spend in year one or two to get things rolling for your ehr systemcome back to you threefold. and so it's important not only to make sure that you understandthe, you know, the financial significance of undertaking the conversation, but thatyou understand that the benefit is going to come back eventually.
on slide 15, we mention that there are over80 providers of ehrs. and this is a really important kind of place to talk about meaningfuluse. if you're going to try and get the federal incentive dollars available under hitech throughthe onc, that's a whole different webinar for a whole different day, but make sure thatwhen you're talking with a vendor and your organization has decided to try and get thoseincentive dollars through medicare or medicaid, in some cases, for those of you who are participating,both, make sure that the technology that the vendors is selling you is certified by theonc as appropriate for meeting those meaningful use criteria. but, as mike banyas and i weretalking about, in getting ready for the webinar today, the key to privacy and security compliancefor your organization really starts with the
contract negotiation process. whether it's-- you know, whether ultimately the software price or the installation process and thekinds of technical issues that holly and laura have talked about ultimately get resolvedin the contract or through the implementation of it, one thing's for sure, and that is that,on privacy and security compliance, are better addressed at the outset when you're negotiatingthe contract, not when something happens, like destruction of electronic phi systemsbecause of a natural disaster, or because of a breach. as i think laura mentioned, when -- you know,under the revised version of the privacy and security rule, when a breach occurs you'vegot to notify the patient or the patient's
representative, unless it fits into one ofthe exceptions, or unless you've done the risk and analysis and determined that notificationis not necessary. that is -- that's not the time to decide who is responsible for thecost of notification if the vendor is at fault. and we deal with that in my office, unfortunately,on a weekly basis, because breaches do occur and when the breach is the fault of the vendorthe vendor is usually going to be embarrassed and consider it a customer service problemat the organization, but that may not include bucking up for the cost of the notification.better to handle that in the contract terms. so let's take a look at 16 -- slide 16, sorry.so, term and termination effect, privacy and security compliance, you wouldn't think thatsomething like saying, "well, this is going
to be a three year agreement or this is aone year agreement or five year or whatever," would affect privacy and security compliance.and typically it doesn't, just by saying, "okay, on this calendar date, the contract'sgoing to terminate." what does affect privacy and security compliance though is the changingnature of these rules and regulations. and so your contracts should include some kindof mention of the necessity for hipaa compliance whether it's a privacy and security rule orany other rule issued by the federal or state governing agencies. and likewise, terminationsshould probably include mention of that as well that you have, as a safety net provider,you have the right to terminate an ehr vendor if they either fail to help you comply withthe privacy and security rules or if they
violate them and ultimately cost privacy -- causeprivacy and security damage to your patients. compensation and indemnification kind of gohand in hand in that regard, everybody, because when you're talking about payment to an ehrvendor, as we mentioned on the previous slide, there's a lot of money in play. it's not justthe installation, the initial training and the cost of startup, there's typically maintenance,monitoring and, you know, kind of ongoing support cost that mean you're going to havea long term relationship with this company. and, you know, things happen in long termrelationships. there's got to be, at least in my opinion, there's got to be some recognitionthat compensation can change if compliance becomes an issue. in other words, if they'renot helping you comply, then that can be reflected
in the way that they get paid. likewise, wewere just talking about how a vendor should pay for the cost of notification if there'sa breach of patient privacy, that would typically come under the indemnification paragraph ofone of these contracts. duties and obligations, that's -- we've gota whole separate slide on that, and we'll get to that in a second. and then mutual confidentialityobligations are important. holly was getting into some great detail just a few minutesago talking about the questions you should ask, not only with regard to how the vendor'sgoing to help you maintain access and control access within your own organization, but whatkind of obligations the vendor should take on to keep the information confidential ontheir own. and then of course down here at
the bottom, don't forget that federal andstate law apply in these circumstances. so it's important to keep both in mind. if you go on to slide 17, we'll talk -- thereare really two different kinds of ehr contracts. there are five to 10 year agreements whichnecessarily are more attractive to safety net providers because those typically havewhat we refer to as a lower end. in other words, it's not as expensive for you at thefront end. the problem with that is, and, you know, we see this, unfortunately a fairamount for early adopters of ehr systems, is that when you get into a five to 10 yearrelationship with an ehr vendor, there are two things that are likely going to happenthat changed the nature of that relationship
and often lead to regret by the provider.one is that the software or the actual product doesn't keep pace with the changing natureof health care organization. i see this day in and day out that folks are saying, "youknow, we now offer these three services." i'm thinking for fqhcs in particular who'vegone from primary care to now dental health and mental health, and the ehr system we haveonly contemplates primary care and it just doesn't help us with the scope of things thatwe need to address. on the flip side of the coin, of course, is-- and the other significant issues is that the ehr vendor's going to change. as we mentioned,there are 80 or so companies out there selling ehr products right now, but this industryis in a tremendous state of flux. those companies
are merging. some companies -- you know, inmany cases are merging. some are going out of business. some big ones are rolling upsmaller ones. and so, i think it was holly who mentioned, you know, you need to understandkind of where your provider is going to be when something happens to that ehr vendor.typically that's in the form of the ability to terminate if your ehr vendor gets purchasedby a company that for instance, you don't want to do business with. the flip side ofthat coin, and this is really important, is to make sure that even if the ehr vendor doesget purchased by a new company and you want to do business with that new company, thatduring that transition they continue to meet their duties and obligations to you. unfortunately,it's commonplace where an ehr vendor gets
kind of bought up and rolled into anothercompany, all of a sudden the people you're used to dealing with get reassigned to otherduties or let go and you're having to call a 1-800 number that, you know, you have towait in line for half an hour and you never had that problem before. now that's the resultof the changing nature of this industry. let's go on to slide 18. the scope of servicesthat an ehr vendor provides typically includes, you know, a couple of basic kind of categories:the first is installation; the second is training and then the third is maintenance. typicallyehr vendors will have these different categories of duties and responsibilities spelled outin an exhibit or an attachment that looks a whole lot like a work order. in some casesthey call it a work order. it's important
for safety net providers to really reviewthat carefully. because if there's not something that you need mentioned in that form, that'sthe time to get it amended before you sign the contract. and likewise, the folks whoare in sales for ehr vendors are not typically the ones who are responsible for installation,training or maintenance, right. and so, what your sales person is telling you with regardto how things are going to roll with, you know, regard to setting up or transitioningto an ehr system, needs to match exactly what that scope of work requires. in other words,you know, down the road, if you're -- if you get an invoice for, you know, $10,000 worthof training, and you say, "well, this sales guy told me that the training was included,"you need to be able to match it up to the
contract to say, "look, it says right herescope of service includes training and there's no additional charge." and by the way, thathappens on a frequent basis because ehr vendors do make a lot of money during the trainingprocess. if it's not included, a trainer can be $80-$100 an hour, in many cases. slide 19 really is important because eventhough you're starting a long term relationship with this company, and everybody's happy becauseyour organization is either going electronic or moving from one ehr vendor to another andyou're anticipating great benefits to come from that. it's important to think about,unfortunately, how it's going to end. and there are really three different ways thatehr vendors approach this.
one is for cause. and typically the latitudethat your organization is going to have to terminate a vendor for cause is going to bepretty narrow. it's going to take a real, what's called, material breach. in other words,something really serious that they did to mess up. and a lot of times, you'll see hereat the bottom of slide 19, a lot of times even that ability where the ehr vendor hasreally fouled up something badly is kind of limited by the fact that you have to givethem notice of that material breach, and then they have what's called a cure period -- periodof time, number of days, typically 30, for them to fix what's broken. and so it's commonplaceto then to have a really frustrating development and a really bad foul up by the ehr vendor,but you go back and look at that contract
and there's not much you can do about it otherthan tell them what they've done. and so if you find yourself in this situation, it'sreally critical to make sure that you document how you've notified the ehr vendor of thebreach. because in many cases an ehr vendor will say, "well we didn't know that this particularissue had arisen since you didn't tell us." and then of course there's without cause termination,which basically means, we've just decided we don't want to work with you anymore. mostehr vendor contracts do not have a without cause termination provision. and so its important,when you're talking with your local counsel or the general counsel within your organization,it's important to try and get that provision in there. in other words, most ehr vendorswill present to you a contract at the outset
which says, "you can terminate this contract,but it's only if we really foul things up and it's only after we have 30 days to fixit." most of the time they don't give you the opportunity to say, "heh, it's not workingout." and so, we recommend, to our clients, that they add in that kind of provision. on the next slide we talk about somethingthat you rarely see in ehr vendor agreements, but that likewise is important if things arereally going south. we were just dealing with this issue with a client of ours last monthwho is in a specialty practice and hired an ehr vendor to implement their new practicemanagement and billing system, and the practice management and billing company had plentyof experience in other types of specialties
but not in my client's. and in about threeor four weeks, things quickly ran off the rails, my folks had not been able to billit a dollar and ran up, what, a little less than a million dollars in accounts receivable,just in the space of a month, because the software wasn't appropriate for their particularspecialty. and luckily we had a provision in that contract that says, "if it's not workingout and you're failing to do what we need you to do, i.e., if you have a billing systemas part of this ehr system it needs to bill, then we can immediately terminate." and soit was a shame that things kind of ran off the rails that quickly but it was a good kindof reminder how important that can be to your practices at your -- or hospitals' operations.most of the time though, these ehr contracts
say, "this is a one, two or three year agreement,and it's going to automatically renew, and you've got to give us 180 days notice if youdon't renew." so it's important at the outset for somebody in your organization to takethat contract and kind of calendar what those days are so that you know down the road youhave the opportunity to say, "well are things working and is this an agreement we want torenew?" that should be on somebody's calendar. last, i think we're almost done with my slides.on slide 21 we talk about duties of vendors that impact providers. and holly and lauracovered a good bit of this but i think the one that i'd like to focus on here for justa minute is hipaa privacy and security compliance. it really takes shape with two things, everybody.the first is, what is the ability of the ehr
system to track access? because that's soimportant under the breach notification rules. what's the ability of the ehr system to trackaccess and disclosures? and then, second, what's the responsibility of the vendor ifthey are responsible for a breach? those are important to have negotiated at the outset. representation and warranties are importantand can vary by state. and so typically on slide 22, you see these things mentioned atthe end of a contract, but they are important because you want to make sure that the vendorwarrants or represents that the product that they're selling you works. kind of like wewere just talking about in that example where it didn't work. one of the reasons that wewere able to justify immediate termination
is that that warranty had been violated. next slide on 23, some states have laws thatallow for non-compete and non-solicitation. the only reason it's important to mentionat this stage, everybody, is that many times, depending on the size of your organization,you may have your it folks get to develop really good relationships with the ehr vendorsor vice versa. a lot of times the ehr vendors will put in a non-compete or a non-solicitationsaying, "you, safety net provider, cannot hire away one of our people." so, likewise,if that's in there, you may want to think about, again depending on the size of yourstaff, having a requirement or provision in there that doesn't allow the ehr vendor tohire away one of your folks.
last, but not least, i think on this slide24, we'll talk about compensation. it's really all over the map. compensation for the ehrvendor can vary from a project fee, you know, flat flee like we talked about earlier, toa license per user per seat [sic] fee. i've seen ehr contracts that come from web-basedcompanies that are as low as $100-$125 a month. some even lower than that because they'rebased on per user per seat and they've just figured out a way to keep those costs low.so they're really all over the place. as we mentioned, the one typical thing that yousee on hourly is training and support or repair. and so it's really important to understandnot only what that hourly amount is, but how it adds up.
and then i think our final slide on the contractbasics is arbitration and mediation. again, this is governed by state law, in many cases.arbitration provisions have to be awarded in a specific way and signed off on by bothparties in order to be effective. but it's important to think about, if you have a realdispute develop between your provider and your ehr vendor, whether it makes sense tohave a provision in the contract to say, "we're going to go try and work things out on ourown in a private forum rather than head to court." a lot of times that can save a lotof money and lead to a result that allows the parties to continue to operate together. so with that, i'll conclude here and openup for questions.
suma nair: thank you so much, mr. sanders,for that insightful presentation. we will now begin the question-and-answer session.i want to remind all of our participants to send in your questions using the chat featureon your screen, if you haven't already done so. and also, before we get started, i wantto invite everyone to fill out the exit [sic] poll that should be popping up on your screenmomentarily. hrsa uses feedback to improve and decide on future topics for the webinar,so we sincerely appreciate you taking the time to fill this out. also, the materialsfrom today's webinar will be posted to the hrsa health it website. if you want to requesta copy of the slides more immediately, send an email to health it at hrsa.gov.
and so, there were several questions thatcame through on the chat, and our first question is actually for rich, but i want you to inviteboth holly and laura to feel free to chime in if you haven't anything you want to add.so the first question is, "how much time should an organization plan for vendor selectionand contract negotiation?" richard sanders: so that can vary by market.i know we have over a thousand folks registered for this webinar today, and so i'm makingthe assumption that we've got folks from urban and rural areas and folks from big stateswith major metropolitan areas where a lot of these ehr vendors are located and thenwe've got folks in areas where they may not have a local ehr vendor. i would say basedon your access to ehr vendors and how, you
know, how much kind of time you can spendwith them to go through a due diligence process, that answer can change a lot. so, for example,we find that our clients in georgia, where we have a number of ehr vendors headquartered,our clients in georgia typically have a longer term to review and select vendors. it justtakes longer because there are more companies to take a look at. in alabama and mississippi,the ehr vendors that are local are fewer and more far between, and so the process franklygoes a little shorter because there's just fewer companies to try and go through. i wouldsay that, to put a finer point on it, that i've had company -- i've had providers gothrough the process before in a month or two, which i would describe as pretty fast, andsome take up to a year. the middle is probably
about right but from the time your organizationand sometimes at your board of director, sometimes it's just senior management, from the timethe organization says, "all right, we're going to really going to get committed to movingto electronic health records,' you can plan on six months, to be conservative. suma nair: thank you so much, rich. the nextquestion is for holly. "do you have any recommendation for when a vendor is unwilling to enter intoa business associate agreement or is unwilling to agree to the specific or necessary termsof the agreement?" holly schlenvogt: if they're unwilling toenter into a business associate agreement, i wouldn't use that vendor. hopefully you'renot -- are already not in that position where
you're using them. it is required by law tohave a business associate agreement in place with any kind of vendor or contractor thathas access to and helps you perform a responsibility for your organization. so they if they helpedmaintain the database or help with any kind of fixes of your system that may need accessto it, you definitely need that business associate agreement in place. and it needs to compliantwith of course the hipaa regulations. so my best statement would be is that you just continuethe negotiations or, unfortunately, try and search for another vendor. richard sanders: if i could jump in on that.i agree with you completely, holly. if you've got an ehr vendor who says, "hey, we're nota business associate and we don't need to
sign one of these," i think that company'sprobably missed the boat. more often it's a disagreement over specific terms, and whenwe talked about earlier about indemnification, that's one where negotiations often hit therocks. and so if you're -- if you've got a company that's unwilling to pay to help yourecover from damage that it caused, a lot of times, holly's exactly right, that's thetime to go looking for another one. and the place you would put that is either in theservices agreement or in the business associate agreement. just make sure they match up. suma nair: thank you so much, holly and rich.the next question: "laura, can you talk a little bit about how onc reviews ehr securityas part of their certification process of
the different ehr systems?" laura rosas: i actually have been lookingat that and they have to have the ability to have a lot of these issues [sic] we'vetalked about, access controls, the ability to lock out - all of that needs to be in there.the issue is not so much are the functions there, and i can -- we can put out a linkto the actual atcb certification that's on the onc website. but the issue also is, doesthe vendor set these up and are they changed at some point and how is this accessed interms of an administrator. in some cases you'll see only one person has administrator rights.well that one person is either goes on vacation then nothing -- none of that can be accessed,so you want to make sure you have like two
administrators and/or that you even have therights at all and it's not being held completely by the vendor. and that when the implementationis done and go-live is over and vendor has left, that those controls are actually configured.because there's a big difference between having the functionality available and ensuring thatthe functionality has been configured in a way that is appropriate for your organization. suma nair: thank you so much, laura. now thenext question i want to invite all of our presenters to chime in on if you have anythingyou wanted to add: "how long before -- or how much time before implementation do yourecommend that a contract be set up with a vendor?"
laura rosas: could you repeat that question?i'm sorry. suma nair: sure. how long before implementationshould providers have their contract established and set up with the vendor? laura rosas: my sense is that it's that'snot as important as having the right contract. you know, you want to have a contract thatis really air tight, and i mean obviously rich can obviously speak to this, and haseverything you need it to have. and then you want to have at some point there's a wholeprocess before you actually begin implementation. first piece is usually some sort of trainingand they're getting the lay of the land and then it has to be purchased as a hardware.but rich and holly, do you want to jump into
that? richard sanders: yeah, i would say that there'sno real kind of best practice on how long a contract has to ripen before you go live.we've had folks sign contracts and get started the next day. we've had folks kind of signthe contract and, you know, have everything kind of set up to start at the beginning oftheir next fiscal year, which in that case was about 120 days down the road. i wouldsay generally speaking, the shorter timeframe the better because, you know, in the law wetalked about -- in contract while we talk about a meeting of the minds, a lot of timesit's easy for the minds to kind of come apart if time passes and people in the organizationeither change or have their opinions on the
way things that are supposed to get done change. suma nair: thank you so much. the next question,"holly, can you elaborate a little bit more on the 1402 compliance that the governmentuses?" or can anyone else speak to that, the 1402 compliance standards? holly schlenvogt: i'm wondering if they weretalking about the fips 140-2 compliance? suma nair: and so why don't we come back tothat question. the next question i want to open the floor to all of our presenters, "canyou describe the minimum requirements, especially for small offices with little or no it stafffor -- to be compliant with the meaningful use standards for privacy and security?"
laura rosas: i can -- i think i can addressthat. so the security rule is scalable and your level of risk really is going to varydepending on your organization. and the office of civil rights, which, you know, not to speakfor them, but they are -- they oversee the security rule. and so the way you would doa risk assessment is going to be different for a small practice versus a community healthcenter versus a hospital, right. there's different risks. and there's a -- there are a numberof tools, working with your rec, your accn, many of them have the security risk assessmentsavailable and they can help your practice actually work through those. those are goingto be different, right. there's no expectation that a small practice will do the kind ofsecurity assessment that a large hospital
system is going to do. it is a scalable sortof flexible rule. that being said, and there's a lot of information on the security ruleon the cms website and the ocr website, but -- and as well as on ours i believe, but there'sa number of things that you need to walk through, and we did speak about a lot of those today- there's physical access and (inaudible) based access and encryption. and it's reallyabout looking at your practice as a whole and going through all of those areas and thenwhere you find something that needs to be addressed you're going to need to fix it andthat's really how the risk assessment is expected to be done. suma nair: thank you so much, laura. and justto add to that, there was a question that
came through and, you know, we understandthat both the vendor and the provider each have responsibilities to meet the securityand privacy risk assessment for meaningful use, and so can you all talk a little bitabout the specific role vendors play and then, you know, the specific provider responsibilities?can anyone elaborate on that? holly schlenvogt: this is holly. i can tryand tackle that one. if a vendor is a business associate of your organization, they are nowunder the hitech regulations required to follow the hipaa security rule and have all of thepolicies and procedures in place that your organization has as well. and your businessassociate agreement of course helps extend the language of the law, the letter of thelaw to them even for some of the privacy rule
requirements so that contracts of course comesin place. but they do have the same responsibilities and office for civil rights can take actionsagainst business associates now and it's my understanding that if for some reason youhave mistakenly forgotten to get a business associate agreement, those business associatesunder the letter of the law are still responsible to follow the hipaa security rule. laura rosas: yeah, i think that's true. andrich, i think it's considered, like, almost implied. if you have that relationship it'slike an implied business associate. richard sanders: that's correct. the businessassociate relationship exists even if the business associate agreement doesn't. that'sa good way to think about it.
holly schlenvogt: it's still a requirementto get the business associate agreement, and if you don't, you can be held responsiblefor not having it, but it still extends the law to a business associate. laura rosas: right. so there's vendors outthere who think that they're somehow going to escape that responsibility. by not havingthat executed they're mistaken, basically. holly schlenvogt: right. suma nair: thank you. so there are a coupleof more questions that have just come in through the chat. so at this point i'm just goingto choose randomly and open the floor to all of the presenters. "if terminating the contract,how do you handle data created and maintain
improper -- excuse me, proprietary software?" laura rosas: that's a good question, and itactually brings another issue up that is sort of tangential to that, and that is data migrationanyway. so as a lot of people are moving to ehrs they often, if not always, had a practicemanagement system. and as many people are going to ehrs that have those, you know, all-- they're completed integrated, right. they've got billing, they have the patient managementsystem, you know, the check-in [sic], they've got the whole system. so that patient managementsystem is going to need to be integrated into the ehr, and in that -- in your contract youmay want to address how that happens, whether that's going to be a password protected diskor that's going to be a security ftp server
which i think is the preferred way. similarly,this issue around data should be addressed i believe in the contract because data migrationdefinitely is -- it can be a challenge, depending on what you're trying to do and how much dataand what the original format was. rich, do you want to speak to that issue as well? richard sanders: yeah. i think that's exactlyright. it's certainly a negotiable issue and something that you should handle at the outset.you know, the way we look at it is, the software may be a proprietary product of the company'sbut the phi is always the provider's. certainly the various states have that in some way shapeor form as part of the typically licensure rules in a particular state. so you want to,you know, make sure at the outset that the
ehr vendor understands that when the contractterminates, and if you decide to go use another ehr vendor, that the patient information belongsto you and that they need to assist you in transitioning it over to another. suma nair: okay. thank you. so i know we'reright at 3:30, and if our presenters don't mind, i'd like to just ask maybe a couplemore questions, and we can end at 3:35. the next question, "do all risks need to be completelymitigated before a provider may attest or is a documented reasonable plan for resolvingthe risk within an approximate timeframe sufficient?" does anyone want to take on that question? laura rosas: i believe they have to all be-- they have to be mitigated. that is the
language of meaningful use for that -- forstage 1. suma nair: okay, great. thank you. the nextquestion, holly, came through during your presentation: "how do you handle programmerback doors to the network?" holly schlenvogt: how we handle programmerback doors. suma nair: back doors. does anyone else wantto chime in on that question? or maybe we can... richard sanders: yes, i'll take that one. holly schlenvogt: okay then. richard sanders: the answer to that is, youneed to know where the back doors are and
who has access to them and when and how they'regoing to be terminated. we've had a couple of examples of how that's gone wrong. oneis that the back door was never... what's the right way to say this - that the ehr vendornever notified our client of the back door, and when a disgruntled former employee ofthe practice used the back door to destroy the ehr system of the practice and became,needless to say, an issue with the ehr vendor. the second is, same thing - we had, you know,a client with a back door put in place by the ehr vendor and the ehr vendor had a disgruntledemployee try and damage their systems. and so i think at the outset you've got to say,"if we're going to do this, you need to tell us exactly where it is, how it gets accessed,who can access it and when that access gets
terminated." laura rosas: and this could be an issue notjust for the software but just for the processes of the vendor. so you can have a situation,you know, often people will call -- you know, the vendor will call the practice and say,"i need to log into the system remotely. i need to do an upgrade or this patch [sic]test you put in," and, you know, there's sort of like, "okay. yeah, you go ahead and dothat," and the staff will let the vendor in, well you could see where a disgruntled employeeof the vendor or it could also -- or even just some -- any hacker could use that kindof social engineering to access the system. if you don't have a good process in placeto verify who is calling you, and it's the
same sort of -- it's not just the software,it's also the process of how these things are done because there's definitely a humanelement here. it's not just the software. suma nair: thank you so much, laura and rich.the next question i want to invite all of our presenters to chime in on: "are internalpolicies and procedures legally binding for vendors?" richard sanders: so let me just make surei understand the question. the policies and procedures of the safety net provider (inaudible)? suma nair: that's correct. that's correct. richard sanders: yeah, you can do that underwhat we would describe as a compliance certification.
so a lot of providers, typically hospitalsthat have, you know, hundreds of vendors that they contract with, and most especially, taxexempt organization, because of irs rules, have a certification statement that is partof the contracting process that says, "i, vendor, have read and understand your complianceplan and your conflict of interest policy and agree to abide by it," that kind of broadstuff is probably not going to do too much good here. i think if you have a set of policiesand procedures in the organization that you want the ehr vendor to comply with, then youneed to reference those specifically in the contract. and i would go so far as to attachthem as an exhibit. suma nair: thank you so much, rich. so i believewe're right at 3:35 pm, and we're out of time.
that wraps up today's webinar. i want to thankeach of our presenters for taking the time to participate today as well as all of ourlisteners out there. we look forward to meeting with all of you again at the next webinarnext month. thank you and have a good weekend. thank you. ladies and gentlemen, that concludestoday's conference. thank you for participating. you may now disconnect.
Tidak ada komentar:
Posting Komentar